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SOME RIGHTS RESERVED 


The articles contained in this magazine are released under 
the Creative Commons Attribution-Share Alike 3.0 
Unported license. This means you can adapt, copy, 
distribute and transmit the articles but only under the 
following conditions: you must attribute the work to the 
original author in some way (at least a name, email or 
URL) and to this magazine by name (‘Full Circle 
Magazine') and the URL www.fullcirclemagazine.org (but 
not attribute the article(s) in any way that suggests that 
they endorse you or your use of the work). If you alter, 
transform, or build upon this work, you must distribute 
the resulting work under the same, similar or a 
compatible license. Full Circle magazine is entirely 
independent of Canonical, the sponsor of the Ubuntu 
projects, and the views and opinions in the magazine 
should in no way be assumed to have Canonical 
endorsement. 


Please note: articles in this magazine are provided with 
absolutely no warranty whatsoever; neither the 
contributors nor Full Circle Magazine accept any 
responsibility or liability for loss or damage resulting 
from readers choosing to apply this content to theirs or 
others computers and equipment. 


Welcome to another issue of Full Circle. 


Well, I hope you enjoyed the epic 100 page FCM#100. 
With this issue, normal service resumes. We've no Python 
this month (Greg is getting some surgery done), but we do 
have the usual Inkscape, LibreOffice, the second part of 
creating a website with infrastructure, and a HowTo on 
installing a newer software version. Sometimes the 
repositories are a bit out of date, and it takes a PPA to get 
the latest, and (hopefully!) greatest version of some 
software. Alan Ward is showing you how it's done. 


I've cheated a bit this month with my Arduino column in 
that there's no actual Arduino in it, but it is still 
electronics related. Tron-Club is a new monthly 
electronics box that I signed up for, and, I have to say, I'm 
impressed. I hope more people sign up for it, and it really 
takes off. It's a great idea to gently nudge people into 
electronics. 


Charles discusses installing Drupal 7 in Linux Labs, SJ 
discusses ChromeOS apps and addons in Chrome Cult. 
Also, the first viruses in his Linux Loopback section. 


Things are heating up in the world of Ubuntu phones. The 
BQ E4.5 and ESHD are now, both, available worldwide, 
and the Indian online retailer SnapDeal is selling both BQ 
phones tailored to India (ie: with pre-installed Indian 
scopes). This is great news. Even while still in its infancy 
the Ubuntu phones are doing great. While there's still to 
be an official U.S. release (with hardware tailored to that 
market) the BQ phones are a great starting point. 


All the best, and keep in touch! 


Ronnie 
ronnie @fullcirclemagazine.org 


NEWS 


Migrate from Proprietary Software to Linux to Create 
Cost Savings 


Amongst the top IT trends of the moment is the 
development of Linux Containers. Financial and technical 
investors, Linux software programmers and customers 
believe that Linux Containers will transform the way 
organisations manage their Linux environments from 
deployment to maintenance. A recent survey by Red Hat 
and Techvalidate says that 56% of the respondents plan to 
use Linux containers as vehicles for rolling out web and 
eCommerce over the next two years. The respondents 
included a number of Fortune 500 companies and public 
sector organisations. Any development in the world of e- 
Commerce is definitely worth taking a look. 


Linux migrations aren't new. Amazon did it in 2001 and 
the eCommerce giant saved $500 on software for each 
server at the time. The real driver went beyond cost 


because Amazon could use commodity X86 servers rather 
than proprietary UNIX ones. This saved the firm $50,000 
per server. Nowadays the running of Linux servers has 
become the norm, but virtualisation and Cloud 
technologies have become increasingly common _ in 
comparison to the beginning of the century. 


Source: http://www.smartdatacollective.com/ 
linuxit/340813/migrate-proprietary-software-linux-create- 
cost-savings 

Submitted by: Arnfried Walbrecht 


Ubuntu Kylin 15.10 Beta 1 Is Out with Updated 
Software Center, Linux Kernel 4.1 LTS 


Ubuntu Kylin 15.10 Beta 1 is powered by Linux kernel 4.1 
LTS and introduces updates to the most important Ubuntu 
Kylin-specific packages, such as the Ubuntu Kylin Theme 
(ubuntukylin-theme), which has been updated to version 
1.4.0, bringing new Ubuntu Kylin 15.10 logos to the Unity 
Greeter and Plymouth boot splash screen. The Ubuntu 
Kylin Software Center has been updated to version 1.3.5, 
a release that includes optimizations to the list of 
software, the addition of a mouse hover effect, a progress 
bar for the installation, upgrading, and uninstallation of 
software, as well as multiple optimizations to the state of 
the progress bar and the blurbs. 


The Youker Assistant tool reached version 2.0.3 with 
adjustments to the layout of the interface, smoother 
transition when switching the interface, beautified skin 
center, setting module, menu, and info module, revamped 
About dialog, animation, and skin center, an added 
upgrade function, and support for displaying the 
hardware manufacturer's logo. 


Source: http://news.softpedia.com/news/ubuntu- 


kylin-15-10-beta-1-is-out-with-updated-software-center- 
linux-kernel-4-1-lts-490282.shtml 
Submitted by: Arnfried Walbrecht 


Linux Foundation's security checklist can help 
sysadmins harden workstations 


If you're a Linux user, especially a systems administrator, 
the Linux Foundation has some security tips to share with 
you, and they're quite good. Konstantin Ryabitsev, the 
Foundation's director of collaborative IT services, 
published the security checklist that the organization uses 
to harden the laptops of its remote sysadmins against 
attacks. 


The recommendations aim to balance security decisions 
with usability and are accompanied by explanations of 
why they were considered. They also have different 
severity levels: critical, moderate, low and paranoid. 
Critical recommendations are those whose 
implementation should be considered a must-do. They 
include things like enabling SecureBoot to prevent 
rootkits or "Evil Maid" attacks, and choosing a Linux 
distribution that supports native full disk encryption, has 
timely security updates, provides cryptographic 
verification of packages and supports Mandatory Access 
Control (MAC) or Role-Based Access Control (RBAC) 
mechanisms like SELinux, AppArmor or Grsecurity. 


Source: http://www.pcworld.com/article/2978136/linux- 
foundations-security-checklist-can-help-sysadmins-harden- 
workstations. html 

Submitted by: Arnfried Walbrecht 


How Ubuntu 15.04 Vivid Vervet Can Prove Useful for 
Enterprise WiFi 


Every business generates data, regardless of its scale. Run 
a business for a month or so and see how deep you get 
buried inside the data that it spawns. The connectivity 
needs of an enterprise center around data. A connection is 
useful when it protects enterprise data and makes data 
transmission fast. Whether the connection is cellular or 
WiFi, if it fails to offer security and speed, it’s not useful 
for an enterprise. 


Ubuntu is perhaps the most preferred Linux distro. And 
you’d be surprised to know not only the end users, but 
enterprises also show a predilection for it. They have their 
reasons. 


Enterprise Ubuntu comes with support for latest WiFi 
practices. This year’s hottest is Ubuntu 15.04 or “Vivid 
Vervet.” It can run on servers, and among its many 
features, one is OpenStack Kilo support. 


OpenStack Kilo is a goldmine for enterprises of all scales. 
You’d keep digging into it and still won’t reach to the 
bottom. Kilo lets an enterprise develop all types of clouds 
and avail all the features with the help of more than 400 
embedded tools. 


Source: http://smallbiztrends.com/2015/09/ 
ubuntu-15-04-vivid-vervet-enterprise-wifi.html?tr =sm 
Submitted by: Arnfried Walbrecht 


Xiaomi is rumored to be working on a Laptop... 
running Linux! 


It's now rumored that the third largest maker of 
smartphones on the planet and a Chinese powerhouse is 
going to release their first-ever laptop. This is big news, 
especially considering the company sold over 60 million 
smartphones in 2014. In their homeland, Xiaomi is more 


popular than Apple and Huawei, and by December of 
2014, they became the world's most valuable startup. 


Now, they plan on expanding their line of mid-priced, 
mid-spec'd hardware into the realm of laptops. More 
specifically, Linux-powered laptops. Some naysayers 
might be shaking their heads saying this will wind up 
another vendor making promises that will only fall flat 
when the public gets product in hand and is utterly 
disappointed. You, however, would be wrong. Why? 
Simple. 


Xiaomi has made a massive name for itself bringing 
custom versions of Android (called MIUI) to _ its 
smartphones. So, the Xiaomi faithful are accustomed to 
working with a variant in their interfaces. That translates 
to an vanishing barrier to entry for a Linux-powered 
laptop released by the company. 


Source: http://www.techrepublic.com/article/xiaomi-is- 
rumored-to-be-working-on-a-laptop-running-linux/ 
Submitted by: Arnfried Walbrecht 


IBM Joins Open Mainframe Project For Wider Linux 
Adoption; New LinuxONE Mainframes Launched 


IBM breathes new life into its open mainframe strategy 
with the announcement of new initiatives for wider Linux 
adoption at the enterprise level. Last month, the tech 
giant released a new line of Linux mainframes dubbed the 
LinuxONE. The Emperor is based on the IBM z13 and "is 
the world's most advanced Linux system with the fastest 
processor in the industry," according to IBM. 


It is reportedly capable of analyzing transactions in "real 
time" and has the ability to scale up to 8,000 virtual 
machines of hundreds of thousands of containers. On the 


other hand, the "entry-level" LinuxONE Rockhopper comes 
in a smaller package with emerging markets in mind. 


Advanced software and hardware encryption features are 
built into both mainframes to keep client data and 
transactions from prying eyes. "Protected-key, available 
on LinuxONE, provides significantly enhanced security 
over clear-key technology and offers up-to 28X improved 
performance over standard secure-key technology," IBM 
said. 


Source: http://www. franchiseherald.com/ 
articles/37783/20150905/ibm-linux-adoption.htm 
Submitted by: Arnfried Walbrecht 


Debian Linux versus the CIA 


Hidden backdoors into software have long been a concern 
for some users as government spying has increased 
around the world. Now the Debian project has taken aim 
at the CIA and other government spy agencies with 
reproducible builds that aim to stop hidden backdoors. 


JM Porup reports for Vice: 

In response to the Snowden revelation that the CIA 
compromised Apple developers’ build process, thus 
enabling the government to insert backdoors at compile 
time without developers realizing, Debian, the world's 
largest free software project, has embarked on a campaign 
to to prevent just such attacks. Debian's solution? 
Reproducible builds. 


In a talk at Chaos Communication Camp in Zehdenick, 
Germany, earlier this month (full text here), Debian 
developer Jérémy Bobbio, better known as Lunar, told the 
audience how the Linux-based operating system is 
working to bring reproducible builds to all of its more 


than 22,000 software packages. 


Source: http://www.itworld.com/article/2981508/linux/ 
debian-linux-versus-the-cia.html 
Submitted by: Arnfried Walbrecht 


Jim Zemlin Explains how the Linux Foundation Scales 
Beyond Just Linux 


When Jim Zemlin helped to start the Linux Foundation 
back in 2007, it was an organization with a singular 
purpose: to help grow and enable the Linux ecosystem. 
Now in 2015, the Linux Foundation is more than just 
Linux, and has helped to enable multiple open source 
foundations and efforts, including the Cloud Foundry 
Foundation, the node.js Foundation, the Open Container 
Initiative, the OpenDayLight, and Let's Encrypt projects. 


In a video interview, Zemlin discusses foundation building 
and talks about why the Linux Foundation is likely to 
keep growing. 


In some respects, the Linux Foundation now provides 
‘Foundation as a Service,’ though that's not the the goal 
that Zemlin has. Given the broader efforts of the Linux 
Foundation in 2015, Zemlin also has no plans to rename 
the Linux Foundation either. 


"I do think there is a lot of value in the reputation that the 
name Linux implies, in terms of it being the most 
successful open source project in the world," Zemlin said. 


Source: http://www. internetnews.com/itmanagement/ 
jim-zemlin-explains-how-the-linux-foundation-scales- 
beyond-just-linux.html 

Submitted by: Arnfried Walbrecht 


Ubuntu Linux Is Now Supported Across All Rackspace 
Platforms 


In order to provide its users with the best cloud 
experience possible, Canonical's Ubuntu Linux experts will 
provide support for the Rackspace platform while making 
sure that the latest builds are always at their disposal. 
They promise to build, maintain, and patch the Rackspace 
images on the Ubuntu Certified Public Cloud 
infrastructure regularly. 


While Rackspace will deliver its famous Fanatical Support 
to existing and future customers, Canonical ensures its 
users that the Ubuntu Linux images distributed through 
the Ubuntu CPC (Certified Public Cloud) program will 
work out of the box. 


"The reason our customers choose to run Ubuntu is to get 
things done, quickly, easily and without worry," says Udi 
Nachmany, Head of Canonical's Ubuntu Certified Public 
Cloud program. "The less time they spend thinking about 
and maintaining the platform they’re running on, and the 
more time they can spend on their core business or 
mission, the happier we are." 


Source: http://news.softpedia.com/news/ubuntu-linux-is- 
now-supported-across-all-rackspace- 
platforms-491469.shtml 

Submitted by: Arnfried Walbrecht 


LXD Is the New Pure-Container Hypervisor for Linux, 
Says Mark Shuttleworth 


Canonical's Stéphane Graber has announced that version 
0.18 of the LXD next-generation container hypervisor for 
Linux kernel-based operating systems has been tagged, 
and it is available for download. 


Mr. Graber’s announcement has been backed by Mark 
Shuttleworth, the founder of Canonical and Ubuntu, who 
writes on his Google+ page that LXD is now the new 
pure-container hypervisor for GNU/Linux systems, 
allowing users to test their apps at scale while running 
hundreds of instances of Linux OSes, including Ubuntu, 
Arch Linux, or CentOS. 


"LXD is the new pure-container hypervisor for Linux. It's 
so efficient that on your laptop you can run hundreds of 
instances of Ubuntu or CentOS or Arch, perfect for testing 
your apps at scale," says Mark Shuttleworth. "Adding per- 
container AppArmor now allows you to confine or shield 
processes from one another inside the container, just as 
you can on a normal machine, so it's even closer to ‘just 
another machine." 


Source:http://news.softpedia.com/news/1xd-is-the-new- 
pure-container-hypervisor-for-linux-says-mark- 
shuttleworth-491934.shtml 

Submitted by: Arnfried Walbrecht 


Meizu MX4 Ubuntu Edition review: A flagship Linux 
smartphone 


The MX4 Ubuntu Edition from Chinese maker Meizu is 
the second Ubuntu smartphone to reach the market. 
Originally released for purchase only by linked request 
and invitation, the MX4 is now available for regular 
purchase direct from Meizu's website at €299 euros 
(around £220). Note though, that the MX4 Ubuntu 
Edition is currently only available within the EU. 
Canonical announced plans to port its popular Ubuntu 
Linux distribution as Ubuntu for Phones in January 2013, 
and in April this year we reviewed the first Ubuntu phone 
-- the Aquaris E4.5 Ubuntu Edition from Spanish 
manufacturer BQ. 


Like the BQ phone, the Meizu MX4 is very much a device 
for early adopters, since Ubuntu for Phones is still in the 
development phase. While the €169.90 Aquaris E4.5 is a 
mid-range phone, the Meizu MX4 delivers considerably 
more computing power for €299. It runs on a Meizu- 
customised octa-core MediaTek MT6595 SoC with four 
ARM Cortex-Al7 and four ARM Cortex-A7 cores, with a 
PowerVR G6200 GPU to handle the graphics, all 
supported by 2GB of LPDDR3 RAM. 


Source: http://www.zdnet.com/product/meizu-mx4- 
ubuntu-edition/ 
Submitted by: Arnfried Walbrecht 


Valve hits a Linux landmark—1,500 games available 
on Steam 


Linux gaming was by no means a new endeavor, but 2013 
stands as a major year for the open-source platform's 
gaming prospects with Valve announcing Linux-based 
Steam Machines and the arrival of SteamOS. When we 
looked at the state of Linux gaming after its 12-month 
Valve anniversary, we found nearly 1,000 professional, 
commercially distributed games available as of February 
2015. But this weekend there's an even bigger numeric 
milestone to celebrate according to the Linux site 
Phoronix—1,500 Linux titles are currently available 
through Steam. 


So while Linux on Steam hasn't been a perfect marriage to 
date—lack of driver support has been a continual issue, 
and the overall small market means little return for devs 
working on ports—there remains plenty for Linux 
enthusiasts to get excited about. 


"At the end of 2013, when Valve released the beta of 
SteamOS everything changed," Che Dean, editor of Linux 


gaming news site Rootgamer, told Ars earlier this year. 
"After years of promoting the various Linux distributions, 
we had a major gaming company not just porting their 
games to Linux, but actually creating their own Linux- 
based operating system. It was an incredibly exciting 
moment and a turning point for Linux users." 


Source:http://arstechnica.com/gaming/2015/09/valve- 
hits-a-linux-landmark-1500-games-available-on-steam/ 
Submitted by: Arnfried Walbrecht 


Microsoft has developed its own Linux. Repeat. 
Microsoft has developed its own Linux 


Sitting down? Nothing in your mouth? 


Microsoft has developed its own Linux distribution. And 
Azure runs it to do networking. 


Redmond's revealed that it's built something called Azure 
Cloud Switch (ACS), describing it as “a cross-platform 
modular operating system for data center networking 
built on Linux” and “our foray into building our own 
software for running network devices like switches.” 


Kamala Subramaniam, Redmond's principal architect for 
Azure Networking, writes that: “At Microsoft, we believe 
there are many excellent switch hardware platforms 
available on the market, with healthy competition 
between many vendors driving innovation, speed 
increases, and cost reductions.” 


(Translation: Microsoft partners, we mean you no harm.) 


“However, what the cloud and enterprise networks find 
challenging is integrating the radically different software 
running on each different type of switch into a cloud-wide 
network management platform. Ideally, we would like all 


the benefits of the features we have implemented and the 
bugs we have fixed to stay with us, even as we ride the 
tide of newer switch hardware innovation.” 


(Translation: Software-defined networking (SDN) is a very 
fine idea.) 


Source:http://www.theregister.co.uk/2015/09/18/ 
microsoft_has_developed_its_own_linux_repeat_microsoft_has_develo 
Submitted by: Arnfried Walbrecht 


Microsoft has built software, but not a Linux 
distribution, for its software switches 


While the software is real, Microsoft isn't characterizing it 
as a Linux distribution, telling us that it's an internal 
project. That's an important distinction, and we suspect 
that we're not going to see a Microsoft Linux any time 
soon. 


The Open Compute Project (OCP), of which Microsoft is a 
member, is an industry group that is working together to 
define hardware and software standards for data center 
equipment. This includes designs for high-density 
compute nodes, storage, and networking equipment. One 
part that Microsoft has been working on is network 
hardware, in particular, software-defined networking 
(SDN). SDN adds a _ layer’ of software-based 
programmability, configuration, and _ centralized 
management to hardware that is traditionally awkward to 
manage. Traditional network switches, even managed 
ones, aren't designed to enable new policies—alterations 
to quality-of-service or VLANs, say—to be deployed to 
hundreds or thousands of devices simultaneously. And to 
the extent that such capabilities are present, they vary 
from vendor to vendor. 


So why isn't the company calling this new endeavor a 
distribution? The big reason is that the company doesn't 
intend to distribute it. Again, it's an internal development 
that showcases the OCP approach, but it isn't a package 
that will be given to third parties. 


Source:http://arstechnica.com/information- 
technology/2015/09/microsoft-has-built-software-but- 
not-a-linux-distribution-for-its-software-switches/ 
Submitted by: Arnfried Walbrecht 


Linux Mangaka Mou Arrives for Anime and Manga 
Fans, Based on Ubuntu 14.04 LTS 


Linux Mangaka Mou is the fifth major release of the 
Ubuntu-based distro for anime and manga fans. It is 
currently based on the latest LTS (Long-Term Support) 
version of the world's most popular free operating system 
and built around the lightweight MATE desktop 
environment. Linux Mangaka's sole purpose is to provide 
anime and manga fans with all sorts of tools for 
fansubbing and fandubbing. 


"Today the whole Animesoft team are proud to be able to 
announce the final stage of Mou, which is based on 
Ubuntu with the lightweight MATE desktop, containing 
Apple and IBM PowerPC 64-bit architecture scripts. As 
any other Mangaka release (except One) you will be able 
to run on any 64-bit PC and enjoy a out-of-box fast and 
complete Linux for anime & manga multimedia viewing 
and editing purpose," said the Linux Mangaka developers 
in an email to Softpedia. 


Source:http://news.softpedia.com/news/linux-mangaka- 
mou-arrives-for-anime-and-manga-fans-based-on- 
ubuntu-14-04-lts-492217.shtml 

Submitted by: Arnfried Walbrecht 


Tips for Improving the Linux Desktop Security 


One of the longest-held beliefs is that the Linux desktop 
comes with invulnerable and foolproof security system. 


A close examination of the security system indicates that 
this might not be the case after all. The desktop running 
on Linux Operating System needs enhanced protection to 
provide it with excellent security and ensure that it can 
withstand the most vicious attacks from the latest and 
highly potent malware as well as viruses and spyware of 
today. 


Before delving into the measures you can take, it would 
be good to explain that one of the reasons behind the 
ever-increasing blatant hacking of Linux desktops is the 
desire to steal network bandwidth as well as the storage 
space. After hacking the Linux servers, the hackers are 
then able to spread spam, malware and scams together 
with phishing campaigns to all corners of the world. Life 
can be quieter for Linux desktop, but not all the time. 
Therefore, the question that needs answers is this; what 
can you do to improve the protection and security of the 
Linux desktop? 


Source:http://neurogadget.com/2015/09/23/tips-for- 


improving-the-linux-desktop-security/16034 
Submitted by: Arnfried Walbrecht 
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Command & Conquer 
Vagrant - Simplify development 


Lucas Westermann 


For any reader who has ever developed anything that 
needed to be tested or run on a system outside of the local 
development server or workstation, you’ve probably 
hoped for an easy way to control a test environment, or to 
emulate the target server. This is essentially what vagrant 
wants to offer. It’s a tool that creates a configuration file 
for a server - specifications, OS, what to install, and links 
to the sources (such as ISOs). This is then run through 
vagrant, which created a VirtualBox virtual machine 
running everything outlined in the vagrant file. 


Now...you may be asking yourself why you wouldn’t just 
do this by hand? If you’re going to need the development 
server on and off (such as web development, where 
certain combinations of software and OSes, or particular 
versions are common), or if you need to be able to pass 
the exact development environment to other people. Such 
as when working in a team. This way, you can just share 
the vagrantfile (and, possibly, the source files), and the 
other team members will be up and running swiftly. 


Vagrant also handles certain aspects - such as installing 
guest additions, enabling SSH access, and various other 
aspects. It also ensures the networking interface is 
bridged, so that you can access software running on the 
server from your local network. For anyone who uses a 
local Apache install and virtual hosts for their web 
projects, this is one way of creating virtual machines of 
your server. Running the actual software you'll encounter 
on deployment. If you, like me, tend to delete virtual 
machines the moment you’re done with them because 


they’re hogging your hard drive space, Vagrant is a 
perfect match. Keep the vagrantfile, and delete everything 
else. Space saved! 


How does it work? 


Vagrant must be installed (it’s a command-line tool), as 
well as VirtualBox. In Ubuntu it’s as simple as sudo apt-get 
install vagrant virtualbox. If you’re using a different host OS, 
you'll need to check how best to install them. 


Once Vagrant is installed, you can either download a 
Vagrantfile (there are many posted on github, or on 
http://www.vagrantbox.es/), or create one yourself. 
Creating one on your own is something I haven’t yet 
done. As such, we’ll focus on the more common scenario 
of using a pre-built Vagrantfile. If there is interest in 
creating custom Vagrantfiles, send me an email, and I will 
follow up this article at a later date. A rough scenario is 
using vagrant init, and then adjusting the default 
Vagrantfile to suit your needs. 


Getting started 


For the sake of this article, [ll be using a prebuilt 
Vagrantfile called “django-python3-vagrant”. See the 
Further Reading for a link. 


Download the file: 

git clone https://github.com/FlipperPA/django-python3-vagrant. git 
Then cd into the folder: 

cd django-python3-vagrant 


Unfortunately, this vagrantfile is geared towards utopic - 
which is no longer located on the Ubuntu server. So, time 
to edit the Vagrantfile! 


On line 6, youll want to change the line from 
“djangoconfig. vm.box = "utopic64"” to 
“djangoconfig.vm.box = "trusty64"”. 


Replace line 10 with the following: 


django_config.vm.box_url = "https://cloud-images.ubuntu.com/vagrant/trusty/ 
current/trusty-server-cloudimg-amd64-vagrant-disk1.box" 


Here, you need to run: 


vagrant up 


Once that command finishes running, you can log into the 
VM using 


vagrant ssh 


Upon login, you'll be greeted by some instructions on 
creating a django project. Follow them. However, on the 
runserver step, you'll need to replace 0.0.0.0:8000 with 
the actual IP of the server. Find this using ipconfig. For 
example: python manage.py runserver 
192.168.1.200:8000 


After that, you can access the django instance using the IP 
address of the server. 


To stop the VM: 


vagrant halt 


In previous versions, this was vagrant shutdown. So if halt 
doesn’t work for you, try shutdown. 


To delete the VM: 


vagrant destroy 


If you run into issues, make sure of the following things: 


1. You’re using the right IP in both your browser, and 
the runserver command. 

2. Yowre running the vagrant commands from the 
folder that contains the Vagrantfile 


Hopefully, this will be of use to anyone who need to 
frequently create the same (or similar) virtual machines. If 
you have questions, comments, or suggestions, feel free to 
contact me at Iswest34+fcm@gmail.com. Have a 
Vagrantfile you can’t live without? Or a Vagrant tip that 
saves time? Email them to me, and Ill compile them into 
an article. 


Further Reading 
https://github.com/FlipperPA/django-python3-vagrant - 
Vagrantfile 

http://vagrantbox.es - Prebuilt boxes 
https://www.vagrantup.com/ - Vagrant homepage 


Installing a more recent version of a 
program than is currently available in 
the repositories 


by Alan Ward 


Programs with a large user-base, such as Mozilla Firefox, 
generally benefit from quick inclusion of new releases into 
the Ubuntu repositories. Right now, the current version of 
Firefox is 39.0, and I have version 
39.0 + build5-Oubuntu0.14.04.1 installed from the 
repositories - so all is golden. 


However, this is not always true. Take the other slightly 
less-known application from Mozilla, the Mozilla 
Thunderbird email client. At the time of writing, 
Thunderbird is at version 38.1 since July 9, 2015 while 
the version in the repositories is merely a 31.8, to be 
precise 1:31.8.0 + build1-Oubuntu0.14.04.1. 


My personal gripe against Thunderbird’s version 31 is that 
is does not yet automatically include the calendar plugin, 
unlike version 38. So I would like to upgrade this program 
directly, instead of relying only on the Ubuntu 
repositories. 
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In the following description, we will see how to do this 
for Thunderbird, although the basics are extensible to 
other applications. As a sidenote, there is actually an 
Ubuntu Wiki page on installing new versions of Mozilla 
Thunderbird: https://help.ubuntu.com/community/ 
ThunderbirdNewVersion. Unfortunately, the information 
within is quite out-dated, since it refers to Ubuntu 
versions 10.04 and 10.10. But there is an interesting 
indication that is current in many respects, and that can 
be borne in mind: going beyond the repository version is 
specifically “NOT recommended by the Ubuntu Mozilla 
team due to interoperability concerns.” The operation is 
classified as “Medium difficulty, medium safety”, so may 
be outside of many users’ comfort zones. 


So, what are our options to get access to the newest and 
greatest version of an application such as Thunderbird? 


The first one that comes to mind (for an old-timer, at 
least) would be to download the source code and compile 
the program ourselves. This is definitely possible, open 
source being... open, with the source code readily 
available. However, it is also definitely going to mean 
downloading not only the source code, but also any tools 


necessary to do the compiling and linking (developer 
version of libraries, the compiler itself), and may require 
some navigation through library dependencies. So, while 
this path is certainly possible and results in an application 
that is perfectly integrated into our current system, it is 
perhaps not to be recommended unless we already enjoy 
software development in the C or C+ + languages. 


So, if we wish to avoid compiling from source code, we 
have at least two options to obtain a _ pre-compiled 
application in binary (executable) form. 


One option is using the very same apt package system we 
are so used to, to perform installation. This means adding 
a supplementary repository to those we already have - 
Canonical’s main, universe, multiverse repositories and so 
forth. This new one is hosted by the Launchpad system, 
and has its hostpage at https://launchpad.net/~ubuntu- 
mozilla-daily/+archive/ubuntu/ppa. As its name says, 
this repository holds daily builds of the most recent 
version of Thunderbird. So, as root, let us add this 
repository to our list with: 


$ sudo bash 
# apt-add-repository ppa:ubuntu-mozilla-daily/ppa 


Now, refresh repository content lists with: 


# aptitude update 


and consult the version of Thunderbird that is available: 


# aptitude show thunderbird-trunk 


Please note the name of the main package for 
Thunderbird in this daily repository is not ‘thunderbird’, 
but ‘thunderbird-trunk’. This is so we can distinguish 


between the two versions. In my case, I get: 


41.0~al~hg20150519r17960.244718-Oubuntul~umdl~trusty 


Wow! We now have a version 41.0 available to us! And 
the version on the Mozilla web page is only up to a 
measly 39! So let’s test it out. In a terminal, type the 
command: 


thunderbird-trunk 


And watch it start up. The About dialog states quite 
clearly that this is, in fact, version 41. 


About Daily 


Daily 


41.0a1 (2015-05-20) 
Daily is experimental and may be unstable 


isa 
to keep the W 


Want to help? 


Licensing Information End-User Rights 


However, it also states clearly something that should be a 
word to the wise: “Daily is experimental and may be 
unstable”. This is something I noticed when it was 
incapable of authenticating against my Gmail server - 
something which any version of Thunderbird has done 
with flying colors for the last many years. Luckily, the 
developers have had the good idea to have this daily 
version not operate directly on the existing mail data, so 
there is little chance of it trashing all those messages you 
have on your hard drive. 


It is clear, however, that playing around with a daily 
version should be seen as working with beta grade 
software, at best. It is good enough to test out - but 


certainly not for production machines, or for ordinary 
users’ peace of mind. 


The final option to download a stable version of 
Thunderbird is simply to consult the Download section of 
the project’s website, at https://www.mozilla.org/en-US/ 
thunderbird/all/. 


Here, we find pre-compiled binaries for all three major 
desktop operating systems: Windows, OS-X and GNU/ 
Linux. For the latter, make sure to choose the version 
corresponding to your preferred language. Also choose 
between 32-bit or 64-bit. If you are not sure which 
version of the Linux kernel you are running: 


uname —a 


and if you see “x86_64” in the information returned then 
this is a 64-bit kernel. “i386” or “i686” means a 32-bit 
kernel. 


The file that is downloaded should be a compressed 
archive with the tar.bz2 extension. At the time of writing, 
the latest version was thunderbird-38.1.0.tar.bz2, rather 
less than the 41.0 numbering of the daily version. 


Once downloaded, just click on the file and it will open in 
whatever archive compression/decompression utility is 
associated with this file extension. The exact program 
invoked will depend mostly on the desktop manager used, 
but, in many cases (Unity, Gnome, Cinnamon), it would 
be the Gnome archive manager file-roller. Once the 
compressed file is open in the archive utility, extract it, 
for example to the desktop. The archive utility can be 
closed. 


thunderb 38.1.0. thunderbird 


tar.b 


You should now have a folder on the desktop simply 
called “thunderbird”. This contains a large number of 
files, among which the main file (i.e. the Thunderbird 
program itself) is unsurprisingly also named 
“thunderbird”. 


In any terminal, run 


$ Desktop/thunderbird/thunderbird 


and, voila, the new version of Thunderbird should start 
up. It is worth noting that it should directly access your 
existing configuration and message files, which are not in 
this folder but in the hidden folder ~/.thunderbird. If you 
are not running Ubuntu in English, but in another 
language, simply substitute the correct name for your 
desktop (Bureau/thunderbird/thunderbird, =) / 
thunderbird/thunderbird, etc.) 


If this doesn’t work, the advantage of using a terminal to 
launch the newly-downloaded program is that any error 
messages will be visible for perusal. 


For best results, it is recommended to run a fairly recent 
version of *Ubuntu. The most recent LTS version (now 
14.04) or Linux Mint equivalent (17.2) should be fine 
with recent versions of Thunderbird. Otherwise, it is very 
possible that some library files are not in sufficiently 
recent versions for today’s Thunderbird to work. 


yy ON Thunderbird 


To install this program to benefit all system users, best 
practice would involve moving it to the /opt directory. 
This needs to be done as root. So: 


§ sudo bash 
# cd ~/Desktop 
# mv thunderbird /opt/ 


Now, let’s rename the existing version of Thunderbird, 
and link to the new version. 


# cd /usr/bin 
# mv thunderbird thunderbird-ubuntu 
# In -s /opt/thunderbird/thunderbird 


From this point on, all references to the Thunderbird 
program should point towards the newer version: this is 
the one that gets started when using the links in the 
menus, dock or status bar. The old version can still be 
accessed by typing the command 


$ thunderbird-ubuntu 


Needless to say, if the user should not be satisfied with 
the new program, it can safely be uninstalled and rolled 
back to the earlier version by issuing the following 
commands: 


sudo bash 

cd /usr/bin 

rm thunderbird 

mv thunderbird-ubuntu thunderbird 
rm -r /opt/thunderbird 
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LibreOffice Part 53 
Presenter Console 


by Elmer Perry 


At least twice a year, I teach installer training for my 
company. During training, I show several presentations. 
Of course, my choice of presentation programs is 
LibreOffice Impress. As you might already know, one of 
the reasons is the Impress Remote app for Android, but 
even when I don't use Impress Remote, I still use Impress 
for a feature called the Presenter Console. The console is a 
control panel for the person giving the presentation, with 
tools to view notes, move between slides, and keep track 
of the time you have spent on a presentation. 


When I give my presentations, I am on a laptop connected 
to a big screen or projector. Any time you have dual 
monitors, you can set your system to use the Presenter 
Console. Make sure your second monitor is not set to 
mirror the first monitor. You want the second monitor to 
extend the first monitor. The good thing is the extended 
mode allows each monitor to have the best resolution for 
that monitor. Making the second monitor an extension of 
the first also allows you to use the Presenter Console. 


Multiple Displays 


Presentation display: [Auto External (Display 2) 


OK | | Cancel | | 


Before you begin, make sure that the slide show is set to 
show on the second screen. You can check this in the 
menus, Slide Show > Slide Show Settings. Under Multiple 


Displays, select the monitor you want the presentation to 
appear on. This option is available only when you have 
multiple monitors. This setting does not save with the 
presentation document but in the Impress settings. 


Current SAide (6 of 10) 


What Do You Get? 


* Weiter — word processing and formatting 

* Cale - spreadsheets 

* Impress — presentations 

* Draw — vector graphics 

* Base = database creation & management 


When you start your presentation (Slide Show > Start 
from first Slide), the Presenter Console will appear on 
your non-presentation monitor. The default mode shows 
the current slide, the next slide, and the control bar. The 
current slide keeps you up to date on what is showing on 
the presentation screen, so you don't have to look behind 
you or away from your notes to see what your audience 
sees. This is especially important when you have 
animations that bring your points up one at a time on the 
slide. The next slide shows you the complete, finished 
slide that comes after the current one. The control bar is 
the main component of the console. In the bar you can 
change between the different modes, switch slides, view 
notes or slides, or swap the views on the monitors. 


ce a> = oo 8:57:34 wo ? 


Previous Next Notes Slides Exchange Help 


The previous and next buttons move you through the 
slides. The previous button moves the presentation to the 
start of the previous slide. The next button moves you 


forward to the next animation, or, if there are no more 
animations on the current slide, the next slide. I hardly 
use these. I usually use the spacebar to move forward and 
the backspace to move backward. The choice is yours, and 
these buttons work great if you want to keep your hands 
on a mouse. 


Notes 


Oracle did hand OpenOffice over to the Apache 
Team and they have slowly began to develop it 
again. 


The Notes button switches the display to notes mode. In 
notes mode, you get a smaller version of the current slide, 
and the next slide moves to a position underneath it. The 
right side of the console displays any notes for the current 
slide. This mode is very helpful when you have a lot of 
notes in your presentation, which I highly recommend 
you do when giving a presentation for the first time. The 
+ (plus) and - (minus) buttons allow you to change the 
size of the text in the notes. Ideally, your notes will fit on 
the screen, but sometimes, you need more notes. 
Adjusting the size allows you to find that happy spot 
between readability and max coverage. You get a scroll 
bar when the notes are too long to fit in the note window. 
The close button closes the notes and returns you to the 
default mode. 


The slides button on the control bar pops up a display of 
all the slides in the presentation. You can use the scrollbar 
to scroll through your slides until you find the one you 
need. When you select a slide, the slide shows on the 
main presentation monitor. Click the close button to 
return to the previous view mode (default or notes). This 
comes in handy when someone brings up a topic you have 
already discussed, and you want to go back to the slide 
where the topic was discussed. I find myself doing this 
from time to time, and the slides screen is much faster 
than using the previous button. 


In the center of the control bar are the clock and timer. I 
use the timer to keep track of how much time I have spent 
on the current presentation. Am I moving too fast? Do I 
need to slow down? Do I need to get on with it? The clock 
is also useful for the same thing. Gotta be finished by 
noon? Knowing what time it is without looking at your 
watch or phone sure does help. The clock and timer are 
helpful for keeping on schedule. 


The Exchange button allows you to swap the monitor 
displays. Not sure why you would want to do this, but it is 
there as an option. I guess if, in a pinch, you got your 
displays backwards, you could swap the monitors to get 
things on the right displays. Or you needed to show the 


presenter screen to your audience? I'm really not sure why 
it exists, but it is there should you ever need it. I'm sure it 
will save someone somewhere some embarrassment some 
day. 


Help 


Left click, right or down arrow, spacebar, | Next slide, or next effect 
page down, enter, return, 
Right click, left or up arrow, page up, | Previows slide, or previous effect 
backspace, 
Home | First slide 
End Last slide 
Alt Page Up Previous slide without effects 
Alt-Page Down © Next without 
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w, Whites/Uretites U 


tx, * 
Number followed by Enter 
Gs 


Kw, T 
vw, 


On"! i 
cut? Seow a Motes 
cuts Stowes the Slides Overview 
on Seritches moretors 


The last button on the control bar is the Help button. 
Clicking Help brings up a list of all the keyboard shortcuts 
for the console. When giving presentations, I find the 
podium is not big enough for me to have a mouse, and I'm 
not very fond of laptop mousepads. Keyboard shortcuts 
make it much easier to navigate. There are a few, but it's 
not so many that you can't memorize them. For next and 
previous, I recommend you find the pair that works best 
for you and use it. I use the spacebar for next and 
backspace for previous. The forward and backward 
relationship makes them easy for me to remember. The 
right and left arrows also make sense for the same reason. 
The CTRL-1 (standard view), CTRL-2 (notes view), and 
CTRL-3 (slides view) makes it quick and easy to switch 
between the different views. B blacks out the screen. Use 
it during breaks, or to divert the audience's attention 
elsewhere. Press B again to bring the screen back. W does 
the same thing, only it whites out the screen. Press ESC at 


any time to end the slide show. If you know the number 
of the slide you want to jump to, enter the number and 
press Enter. Home takes you to the first slide, and End 
takes you to the last one. G and S grow and shrink the size 
of the notes text, and H and L move the cursor in notes 
view backward and forward. 


The Presenter Console in Impress is a handy control 
center for anyone giving a presentation. The screen 
always lets you know the current status on the 
presentation monitor and shows you the next slide in the 
presentation. The control bar gives you access to all the 
features of the console. The notes mode shows you the 
notes for the current slide. The slides mode allows you to 
quickly switch to any slide in the presentation. The help 
button gives you a reminder of the keyboard shortcuts for 
the console. The Presenter Console keeps the presenter in 
control of the presentation. 


Build a Website with Infrastructure from 
scratch — Part 2 


By John 


Now that that our Linux VM is built, we must add security 
for better server protection; this will be accomplished by 
using the Linux firewall capabilities. Afterwards, we will 
install a web server and set up additional security on the 
web server. 


Today we will focus on the Linux firewall. We will use 
iptables, standard Linux firewall functionality. 


A Firewall is basically a set of rules. As best practice, we'll 
use the “deny access” default rule — this means that unless 
specified otherwise, an incoming network packet will be 
dropped. 


External access to our server will be allowed under: 


¢ SSH ~for remote control 
* HTTP»server web pages (our website) 


Right now, anybody can try connecting to our server via 
SSH. Obviously, that will not be possible without the 
private key; however, we'd like to limit who can even try 
to connect to our server — this is just best practice and 
limits access to any additional potential hacks. 


For example - let's suppose you live in the US - it's 
probably a good idea to allow SSH connections only from 
the US (any SSH connection attempt from outside the US 
is not legitimate - it's not you!!! - so it should be 
banished). 


In addition, we may decide we will not do business with 


specific countries — we will block any web access (HTTP) 
from these countries. In my example, I will choose Canada 
(note here — this is only an example, there is absolutely 
nothing wrong with Canada what.so.ever —- I am just 
choosing a country which is a Democracy, this way, I 
know I won't get into trouble!!!). 


Please note that checking the incoming country is not 
foolproof — the source connection can spoof the IP address 
(or just VPN into a server from an unblocked country). 
Anyway - this is good protection against automatic bot 
scanners and will definitely help keep hackers away. 


Without getting into too much detail, the firewall rules 
can be set for incoming, outgoing, and forward 
connections. 


Since we are not forwarding anything, we will just set 
rules for incoming (most important), outgoing (more later 
on why) and ignore forwarding (by default forwarding is 
disabled in the kernel anyway). 


Step by step now 


Quick reminder > only sudo (or root) can set up firewall 
rules. To switch to root, I recommend typing sudo su 


1 - Reset any firewall rule and DROP any incoming 
connections: 


Most distributions come with some type of firewall rules 
set up by default. (Centos & Suse do for sure — not totally 
sure about Ubuntu). 


We will reset any rules so we can start from scratch: 


iptables -F 
iptables -X 


And by default DROP any incoming connections: 


iptables -P INPUT DROP 


2 — Allow local connections (to localhost): 


iptables -A INPUT -i lo -p all -—j ACCEPT 
iptables -A INPUT -m state --state RELATED,ESTABLISHED -—j ACCEPT 


3 - Block incoming connection if it originates from a 
specific country: 


There are several ways to check the country-of-origin of 
an incoming connection: 


* iptables geoip 
* loading country blocks into ipset 


iptables with geoip is based on xtables-addons, which is 
an extension of iptables. This works pretty well. However, 
it's not really a “standard” - meaning xtables is not 
delivered with some distributions (requires compile from 
sources & install). For example, I was unable to make this 
work with Arch Linux on ARM architecture (not saying it 
is not working, just saying I was unable to make it work — 
big difference!). 


ipset is a companion application to iptables — it can load 
in-memory ranges of IP addresses, and iptables can 
leverage ipset to test if an IP is within this range. 


As geo-localization, I will choose ipset - which seems to 
be available as a packaged install to any distribution I 
have tried so far. 


sudo apt-get install ipset 


Let's summarize what we want to achieve here: 


* Get the IP range block we want to forbid (country 
based). 

* Load that range into ipset. 

* Add an iptable rule which checks if source is within 
that range (Canada in our example). 

* If yes, block. 

* If not: 


© Allow if target is HTTP (a web page). 
© If target is SSH, we must also check country of 
origin is USA (same as above - with ipset). 


I hope you follow me here!!! 


IP blocks by country can be found here: http:// 
www.ipdeny.com/ipblocks/data/aggregated 


We'll get the blocks of US and Canada - either download 
the file or use wget: 


wget http://www.ipdeny.com/ipblocks/data/aggregated/ca-aggregated. zone 
wget http://www.ipdeny.com/ipblocks/data/aggregated/ca-aggregated. zone 


Now load the blocks into ipset's memory: 


* Create an ipset bucket called myset_CANADA: 


ipset create myset_CANADA hash:net 


* Load the blocks corresponding to Canada _ into 
myset_CANADA: 


for iin (cat ca-aggregated.zone); do ipset add myset_CANADA $i; done 


Same for US block range: 


ipset create myset_US hash:net 
for i in (cat us-aggregated.zone); do ipset add myset_USA $i; done 


Now we'll block anything coming from Canada 
(conjunction of iptables & ipset): 


iptables -A INPUT -m set -—-match-set myset_CANADA src —j DROP 


If the rule above is hit, the connection is dropped (-j 
DROP does that) and we exit the firewall. 


4 - If we get up to here in the firewall chain, we can 
accept any HTTP incoming connections: 


iptables -A INPUT -p tcp --dport 80 -j ACCEPT 


If rule above is hit (meaning “true”), the request is 
accepted (-j ACCEPT) and we exit the firewall. 


5 — If we get up to here, the source is not coming from 
Canada and it’s not an HTTP request. If the request in not 
SSH, drop the request and exit the firewall: 


iptables A, INPUT =p bep-  s—apoct: 22: —4, DROP 


6 — If we've got so far, it is a SSH request (and not from 
Canada) > let's check if source country is allowed (USA in 
our example). 


Before accepting, let's write into the system log that 
access to port 22 has been granted = we will log this 
information into /var/log/messages (default system log 
file). Logging is important for security reasons - by 
running statistics on /var/log/messages you will find out 
who tried to access your system. Note that we do not 
track who has connected but who tried to connect: 


iptables -A INPUT -j LOG -—-log-prefix "Accepted SSH " -—-log-level 7 
iptables -A INPUT -m set --match-set myset_USA src -—j ACCEPT 


Just in case we missed anything, any connection arriving 
to the command above will be dropped (remember - we 
drop everything by default unless specified otherwise): 


iptables -A INPUT -j DROP 


It’s not mandatory — but we can add some additional 
security to the above rules. 


Let's imagine that somebody really wants to hack your 
system by trying every combination of RSA key possible — 
that is called a brute-force-attack. No worries — with a 
10K RSA key, it is probably not possible (note the word 
probably — when talking security, you cannot ever be 
sure! ). 


There is something we can do about that — if a specific IP 
tries to connect more than x times (let's make it 5) to our 
server on port 22, we can temporarily ban that IP address 
for a few minutes — let's make it 5 (300 seconds). So this 
means that an attacker can potentially try 5 combinations 
every 5 minutes. As you probably understand, brute force 
will not work at this pace!!! 


Below, we're telling iptables to keep track of connections 
to port 22 for 300 seconds. If a (failed) hit count gets to 5, 
the connection is denied for the next 5 minutes: 


iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m rece 
iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m rece 


Then, follow these with the same block-rules as before: 


iptables -A INPUT -j LOG -—-log-prefix "Accepted SSH " -—-log-level 7 
iptables -A INPUT -m set -—-match-set myset_USA src -j ACCEPT 
iptables -A INPUT -j DROP 


Careful — this rule also applies to yourself! 


More about logging and checking who tried to access the 
system... 


This command will display any SSH connection attempt to 
your system: 


cat /var/log/messages grep “Accepted SSH” 


You will quickly get a hefty output (“quickly” means 
minutes of server up-time), which will not be easy to 
read. 


This revised version is probably more useful and will give 
the list of unique IP attempts — sorted by number of 
connection attempts: 


cat /var/log/messages grep "Accepted SSH" awk -FSRC= '{print $2}' | 
A quick explanation of above command: 


* It outputs the content of the file /var/log/messages. 

* It keeps only lines where the keywords “Accepted 
SSH” exist. 

* It grabs the text following the keyword SRC= (IP 
address of incoming connection). 

* It sorts the list. 

* It gets only the unique IPs, but counts the number of 
occurrences of each unique IP. 

* It sorts descending as numbers (sort -n). 


The goal of this article is firewall and security. However, I 
strongly believe that security and scripting go hand-in- 
hand. Logging intrusion attempts is great but not using 
the data is useless. As you can see, a quick shell command 
was able to provide very useful information — extremely 
quickly. I can now, for example, ban the topmost 10 IPs 
who tried to log in to my system. 


The following command will ban the IP 10.10.10.10 by 
inserting the rule on top of all rules (-I INPUT 1): 


iptables. =I INPUT 2 S920. 107106 10C=4) DROP 
Have fun and please make sure not to ban... yourself! 
7 — Output rules: 


Many times, firewalls will enforce rules only for incoming 
connections — meaning they'll allow wide-open output 
traffic. This is not a good practice — imagine that a hacker 
gets to your computer and is able to install server 
software which could then create a tunnel via a random 
port to the attacker's server and therefore provide full 
access to the attacker. 


We will also close this loophole. Basically we will allow 
outgoing access to: 


* SSH (for our remote access), this is TCP port 22. 

* HTTP and HTTPS (for web pages), these are ports 80 
and 443. 

* DNS (so our requests can be resolved!), this is port 
53. 


You probably got the point: 


* By default, DROP any output connections, unless we 
specifically tell otherwise. 

* Allow connection to localhost (the server itself). 

* Allow SSH, DNS, HTTP & HTTPS. 


iptables -P OUTPUT DROP 
iptables -A OUTPUT -o Lo =p all -—] ACCEPT 


iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -—j ACCEPT 


iptables -A OUTPUT -p tcp --dport 22 —-j ACCEPT 
iptables -A OUTPUT -p udp -—-dport 53 —-j ACCEPT 
iptables -A OUIPUT —p tcp —-dport 53 —j ACCEPT 


iptables -A OUTPUT -p tcp --match multiport --dports 80,443 -j ACCEPT 


iptables -A OUTPUT -j DROP 
Let's put all this together... 


First build the block of IP addresses. Run all below as root 
(or sudo): 


apt-get install ipset 
wget http://www.ipdeny.com/ipblocks/data/aggregated/ca-aggregated. zone 
wget http://www.ipdeny.com/ipblocks/data/aggregated/us-—aggregated. zone 


Now let's clean all firewall rules: 


iptables -X 


And make sure all rules were really deleted — you should 
see this: 


iceberg ~ # iptables -L 
Chain INPUT (policy ACCEPT) 
target prot opt source destination 


Chain FORWARD (policy ACCEPT) 
target prot opt source destination 


Chain OUTPUT (policy ACCEPT) 
target prot opt source destination 
iceberg ~ # 


Then add the firewall rules in a text file (more below): 


#!/bin/bash 


# Load the ipset rules 

ipset create myset_CANADA hash:net 

for i in $(cat ca-aggregated.zone); do ipset add myset_CANADA $i; done 
ipset create myset_USA hash:net 

for i in $(cat us-aggregated.zone); do ipset add myset_USA $i; done 


iptables -F 
iptables -X 


# Input rules <== this is comment 
iptables -P INPUT DROP 


iptables -A INPUT -i lo -p all -j ACCEPT 


iptabl 


iptabl 
iptabl 


iptabl 


iptabl 
iptabl 


iptabl 
iptabl 
iptabl 


es 


es 
es 


es 


es 
es 


es 
es 
es 


# Output 


iptabl 
iptabl 
iptabl 
iptabl 
iptabl 
iptabl 
iptabl 
iptabl 


es 
es 
es 
es 
es 
es 
es 
es 


INPUT 


INPUT 
INPUT 


INPUT 


INPUT 
INPUT 


INPUT 
INPUT 
INPUT 


rules <== 


—P 


In order to 
following: 


OUTPUT 
OUTPUT 
OUTPUT 
OUTPUT 
OUTPUT 
OUTPUT 
OUTPUT 
OUTPUT 


=) 
tna 
=a) 


stat 


set 
ECD) 


BCD 


ECD) 
ECD) 


LOG 
set 
DROP 


e --state RELATED,ESTABLISHED —j ACCEPT 


—-match-set myset_CANADA src —j DROP 
==800tt. 30 —7 ACCEE TL 


PS S-speil 22) = 7. DROP 


-m tcp --dport 22 -m state -—-state NEW -m rece 
-m tcp --dport 22 -m state --state NEW -m rece 


—-log-prefix "Accepted SSH " -—-log-level 7 
=—mMateh-set myset USA sic -—j ACCEPT 


this is a comment 


DR 
=) 
eli 
-P 
-P 
-P 
-P 
=) 


OP 

ee Seren =p Ae 

state -—-state RELATED,ESTABLISHED —j ACCEPT 

Pee rs—d pork 22 (=f ACCEPT 

wel SHclhyems 53 —5] AC Cimeg 

EC) SHclyemis 53 —5] ACCME mW 

tcp --match multiport --dports 80,443 -—j ACCEPT 
DROP 


test this out, I would recommend the 


* Use wget to get the blocks of IPs, and keep the files. 

* Copy / paste the code above to a shell file (text file 
with extension .sh and make it executable with 
chmod +x [filename]). 

* Run the file. For my example, I'll call this file /usr/ 
local/sbin/firewall.sh 


>You should now have the firewall fully loaded and 
operational. 


IMPORTANT - iptables -F resets the firewall and locks 
your ssh session out! When you run the file, your terminal 
will be “locked”. This is because we reset the firewall by 
blocking all rules by default. Just try connecting again to 
iceberg from another terminal. If it works — you should be 
all set, but, if you cannot, stop and restart the VM from 
the Digital Ocean panel. After the restart, the rules are not 
loaded, so you can fix that problem: For example, I 


allowed the US IP blocks because I live in the US, did you 
load the right blocks of IPs from where you live? 


I will now suppose everything worked well — we will then 
set both scripts to run at startup. 


In ubuntu 14.04, edit and add both files to /etc/rc.local. 
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Modified 


Note the sleep 10 - we're telling iceberg to wait 10 
seconds before running our scripts — this is to ensure that 
the network is up & running before we set up the firewall. 


I know a few of you may find the sleep 10 not optimal 
and would rather use upstart's dependencies rules. I 
personally think it is too much trouble and safe enough 
(even if somebody connects in those 10 seconds, he'd be 
locked by the iptables -F) — not to mention that upstart 
seems to be end-of-life software (even Canonical decided 
to switch to systemd in newer Ubuntu versions — this 
doesn't mean I support or not systemd, I am just noting 
Canonical’s decision). 


Anyway, during your next reboot, you should be 
automatically all set, with a system pretty well protected 
against intrusions. 


If you'd like to confirm the scripts have been properly 
executed at startup, as root run this: 


iptables -L 


and you should get the firewall rules displayed on the 
screen: 


keeberg 


Next month, we will install Apache (Web server) and 
secure Apache. Load that range into ipset. 


Drawing with Inkscape - Part 41 
By Mark Crutch 


After last month's special celebratory detour, we return to 
finish the subject of aligning and positioning objects in 
Inkscape. We've already seen a variety of approaches, 
from grids and snapping through to tiled clones and the 
Align and Distribute dialog, but we still have two dialogs 
to consider. They both live near the bottom of the Object 
menu: “Transform...”, and “Arrange...” (“Rows and 
Columns...” if you're still using 0.48.x). 


The Transform dialog provides a more precise approach to 
moving, scaling, rotating and skewing objects when 
compared with simply dragging the selection handles 
using the mouse. In the world of SVG, every object can 
have a transformation applied to it. Rotate or skew an 
object, then look at it in the XML editor and you'll see that 
there's no obvious “rotate” or “skew” attribute, but rather 
a single “transform” attribute which holds a matrix that 
defines the cumulative effects of any transformations you 
may have applied. The details of this matrix are a little 
too mathematically intense for this series, but it's enough 
to know that each object can have its own matrix applied, 
and that a single matrix can combine the effects of 
moving, scaling, rotating and skewing into a single set of 
numbers. The Transform dialog is essentially a more user- 
friendly way of tweaking that matrix. 


On opening the dialog from the menu, or using the CTRL- 
SHIFT-M shortcut, you'll be presented with a simple 
interface featuring a handful of tabs, each with just a few 
fields. This dialog has seen little change between 0.48 and 
0.91. 
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The fields on the Move tab allow you to move your 
selected objects by a specific distance, when the “Relative 
move” checkbox is enabled. Disable this, and you can 
move your objects to absolute x and y coordinates. In 
addition, the current absolute coordinates are displayed in 
the fields. With 0.91, just about every spinbox in Inkscape 
lets you enter simple calculations, so there's a good 
argument for never enabling this checkbox in that 
version. Want to move your shape 50 pixels to the right? 
Just append “+50” to the number in the “Horizontal” 
box, then hit Return and watch the field update with the 
newly calculated value. 


Positions and movements are based on Inkscape's own 
coordinate system which has the positive y axis running 
upwards from the bottom of the page (remember, this is 
the opposite of SVG's coordinate system, which has the 
origin at the top left, with the positive y-axis running 
downwards). Similarly, the selected objects are placed 
such that the bottom left corner of the bounding box is at 
the specified coordinates, with no option to use a different 
corner, or even the center of the box as the reference 
point. 


The “Apply to each object separately” checkbox is 
effectively the opposite of the “Treat selection as group” 
checkbox in the Align and Distribute dialog. If you select 
multiple objects and leave this un-checked, then the 
transformation will be applied as though all the objects 
were grouped. With it checked, each object is individually 
transformed. When relatively moving things, there's little 
difference, but, for an absolute move, it results in all the 
items being placed at the same position on the page. It's 
also particularly relevant when using the other tabs, 
where the results can differ significantly due to the state 
of this checkbox. Consider the Rotate tab: there's a huge 
difference between rotating a group of separate objects 
and rotating each object individually. 


The Scale, Rotate and Skew tabs in this dialog really need 
no additional explanation as the fields are all 
straightforward to understand. It's important to note, 
however, that only the current tab's values are used when 
the Apply button is clicked. You can't queue up a 
collection of movement, rotation and skewing to apply as 
a single operation, but instead have to press the button 
with the Move tab to the fore, then again with the Rotate 
tab selected, and so on. 


On the subject of the Rotate tab, there has been a slight 
change with version 0.91: this release adds buttons to 
determine whether rotations should be clockwise or anti- 
clockwise. The corresponding field accepts both positive 
and negative values in either release of Inkscape, so the 
buttons just make the existing functionality more obvious, 
rather than adding anything new. 


The last tab, Matrix, allows you to directly manipulate the 
six values in the SVG matrix transformation. With the 
“Edit current matrix” checkbox enabled, you can modify 
the transform that's currently being applied to the selected 
element, if there is one. With this unchecked, any changes 


you make in this tab will be mathematically combined 
with the existing matrix to produce a new, cumulative 
matrix. If you are mathematically inclined, and wish to 
play around with this tab, I recommend reading the SVG 
specification for coordinate systems and transformations: 
http://www.w3.org/TR/SVG/coords.html 

7) Transform (Shift+Ctri+M) (2) (6)! 

ChTransform (Shift+Ctri+M) 


Move | Scale | Rotate | Skew | Matrix 


a 


A |0.954 C j-0.300 |,; E {0.000 


4 


B |0.300 D |0.954 |,| F |0.000 


| (3) Edit current matrix 
| 


| Apply to each object separately 


| €3 Clear # Apply 


It's worth noting that SVG's transform attribute does allow 
for a series of individual translateQ, scaleQ, rotateQ), 
skewX() and skewY() functions to be used, rather than 
just the matrixQ operation that combines them all. From 
an authoring perspective, it would be far nicer to store a 
45° rotation in the SVG file as rotate(45), rather than 
matrix(0.707,0.707,-0.707,0.707,0,0), but there's no 
option in Inkscape to do that, unfortunately. 


The last feature we'll consider in this part of the series is 
the dialog that can be found via Object > Rows and 
Columns... (0.48) or Object > Arrange... (0.91). The latter 
lays the interface out a little more neatly and adds a 
second tab, so I'll describe that version. 0.48 users should 
be able to work out the differences in the first tab, but 
you'll just have to look on in envy when I describe the 
Polar Coordinates options in the second. 


Let's start by creating a few objects to arrange. I've 
deliberately used different sizes, and semi-randomly 
placed them. I've numbered them from left to right, top to 
bottom, to make it easier to see which object moves 
where — once they're arranged using the dialog. 


On selecting these nine objects and opening the dialog, it's 
possible to set various combinations of rows and columns, 
ranging from 1x9 to 9x1. These fields are dynamic: as 
items are added to, or removed from the selection, the 
rows and columns will change; similarly as each field is 
manually altered so the other will change to ensure that 
you don't end up with an impossible combination for the 
number of elements that are selected. In this example, I've 
set the arrangement to 3 rows by 3 columns. 
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You can think of this dialog as creating a number of 
conceptual cells which are arranged in rows and columns, 
then your objects placed within them. They're 
“conceptual” in that they're never really created, or 
drawn, on the canvas, but serve as a tool to more easily 
describe how Inkscape arrives at its final layout. The 
height of each cell is determined by the height of the 
tallest object in the row, and the state of the Equal Height 
checkbox. If left unchecked, then the height of each row is 
free to change to suit the tallest object within it; if 
checked, all the rows will be the same height, equal to the 
tallest object in any of the rows. An analogous calculation 
is carried out to determine the width of each cell, too. 


With the dimensions of each cell calculated, they are now 
distributed into their final positions. If the “Fit into 
selection box” radio button is active, they are evenly 
distributed to fit within the dimensions of the original 
selection's bounding box. This gives you the ability to 
distribute the objects within a specific area by carefully 
positioning two opposing corner objects. 


Alternatively you can select the “Set spacing” option, and 
enter values for the X and Y fields. In this mode the cells 
will be arranged with the specified amount of space 
between the columns (X value) and rows (Y value). These 
numbers can be negative if you want to make the cells 
overlap. Note that 0.48 allows these numbers to be 
specified only in pixels whereas 0.91, as you can see from 
the screenshot, has a pop-up menu from which to choose 
different units. 


With these imaginary cells conceptually placed on the 
canvas, it's finally time to move your objects into them. 
The “Alignment” buttons let you define how to place each 
object within its cell, allowing for any of nine relative 
positions (though you'll probably just use the center 
button most of the time). Note that 0.48 had the same 
nine possibilities available, but laid out as a pair of three- 
option radio buttons which specified the horizontal and 
vertical alignments separately. 


Having distributed our virtual cells, and aligned the 
objects within them, the result is something like this: 


It's important to understand how Inkscape chooses the 
order for the arrangement. Whereas other parts of the 
application use an object's z-index or selection order, this 
dialog is only concerned with the placement of the objects 
on the canvas. They're ordered from left to right, top to 
bottom, and laid out in the same way. You can see this 
effect quite clearly if I move the blue “8” object up a 
little, leaving its z-index the same, then reapply the 
arrangement: 
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Because the objects are laid out from left to right, top to 
bottom, some arrangements can lead to an empty space in 


the bottom right corner. Here are the same nine objects in 
a 2x5 arrangement: 


Note that there's no way to get the blank space to be 
anywhere other than the bottom right cell. If you want a 
different alignment you'll have to manually alter the 
results afterwards. It's also not possible to have more than 
one blank cell - the dynamic nature of the Rows and 
Columns fields will stymie any attempts. Trying to put 
these nine objects into a 2x6 arrangement, expecting six 
objects on the top row, and three on the bottom, just 
leads to the same result as before and the fields adjusting 
themselves to 2x5. 


The second tab of this dialog allows you to place objects 
in a polar arrangement. You can either draw a circle, 
ellipse or arc as a guide on which to place your objects, or 
you can enter the parameters for such a shape within the 
dialog itself. 


Arrange (as superuser) = | fe) | x 
Ge Arrange 2&8 


oo 
Rectangular grid - Polar Coordinates 
Anchor point: 
® Obdject's bounding box: 
o* co @ 


@ fel 


oo 36 
Object's rotational center 
Arrange on: 
First selected circle/ellipse/arc 
Last selected circle/ellipsefarc 
© Parameterized: 
Center xX {0.00 < 0.00 =| | px 


Radiusx% [100.00 |: 100.00 [2] | px 


“ o “ 


Angiex: [0.00  |2) [180.00 
VW Rotate objects 


Arrange 


The easiest way to do this is to draw a target shape 
(circle, ellipse or arc) that you wish to place your objects 
on. Send it to the bottom of the z-order, then select all the 
objects you wish to arrange plus the target itself. Ensuring 
that “First selected...” is active, click the Arrange button. 
With our previous selection of nine rounded rectangles, 


and a grey ellipse as the target, the result is something 
like this: 


As you can see, the objects have been arranged anti- 
clockwise, starting from the top right. To make them run 
clockwise from the top left, flip the ellipse horizontally 
first. For clockwise from the bottom right, flip it 
vertically. For anti-clockwise from the bottom left, flip it 
both horizontally and vertically before creating the 
arrangement. 


If the target object is your only circle, ellipse or arc in the 
selection, it doesn't really matter whether you use the 
“First selected...” or “Last selected...” option. If you do 
have more than one, however, you should ensure that you 
select the target first, then add everything else to the 
selection (“First Selected...”) or select everything else, 
then add the target to the selection (“Last selected...”). 


? 


If you don't wish to create an additional object on the 
canvas to use as a target, the “Parameterized” option 
reveals additional fields (shown in the screenshot) to let 
you specify the details of the target arc to use. 
Realistically, it's almost always easier to draw an arc on 
the canvas to use as the target. You'll get visible feedback 


as to where your objects will be placed, and you can 
simply delete the arc once your arrangement is done, if 
you don't want it left in the drawing. 


The specific position of each object on the target shape is 
set using the “Anchor point” section in the top half of the 
dialog. You can specify one of nine positions on the 
object's bounding box - so choosing the top-left button, 
for example, would position the objects such that the top- 
left corner of each individual bounding box is placed on 
the target. The center button is the most common choice 
here, and is the one I used for the previous image. An 
interesting alternative is to use the “Object's rotational 
center” option. This will position each object so that its 
rotational center is placed on the target, allowing you a 
finer degree of control over the placement of each 
individual object. 


The “Rotate objects” checkbox determines whether your 
objects will be rotated when they are arranged, or left 
with their original orientation. The previous image was 
made with this checked; had it been left un-checked, all of 
the positioned objects would have retained their original 
orientation, such that the numbers would all have been 
the right way up. 


There's a small bug that you may have to work around: 
whilst writing this article, I found that the Polar mode 
would occasionally place all my objects on top of each 
other, rather than spacing them out around the target 
shape. I was able to reliably fix this by undoing the 
placement, then shifting the target object up (SHIFT-Up 
arrow), then back down to its previous position (SHIFT- 
Down arrow), before repeating my arrangement attempt. 


That concludes our look at the myriad ways in which you 
can arrange and position objects within Inkscape. 
Amongst them there should be something to suit most 


artistic requirements. From snapping to grids, tiled clones 
to polar arrangements, Inkscape has far more ways to 
position your shapes than initially meets the eye. 


Mark uses Inkscape to create three webcomics, 'The 
Greys’, 'Monsters, Inked' and 'Elvie', which can all be 
found at http://www.peppertop.com/ 


Arduino 
by Ronnie Tucker 


OK, so this article isn’t actually about the Arduino itself, 
but it is about electronics. So it’s certainly relevant. 


Weekly/monthly boxes are nothing new. There are boxes 
for everything from crafts to snacks, and everything in 
between, but Tron-Club is doing something quite unusual: 
a monthly electronics box. 


Tron Box One 


The website (http://www.tronclub.com/) is a_ bit 
confusing at times, but I decided to take the plunge and 
give it a go anyway. 


The prices are quite reasonable at £11 per month (€14/ 
$14) not including postage. 


The first box comes with a whole bunch of components 


and a small booklet. Everything from a small motor, 
resistors, capacitors, chips, battery, and even a small 
plastic wheel are at your disposal. Of course, you also get 
a small breadboard for plugging everything into. 


The whole idea of the box is to ease you into electronics 
and guide you on your way to creating ever more complex 
circuits. 


The Booklet 


The booklet is your guide. It contains 22 circuits that you 
can build using the given components. It starts off easy 
with some basic resistor and LED stuff, working up to 
relay switches, a basic IR transmitter/receiver circuit, all 
the way to logic gates with a 555 chip. 


The little booklet is well done, showing both a breadboard 


layout (easy on the brain) or a proper circuit diagram (for 
the real nerd in you). Below them are a couple of 
information boxes that give you help and advice. 


Conclusion 


Sure, you can buy a big pile of components for £11 these 
days, but the good thing about Tron-Club is that it’s also 
trying to build a little community around it where you 
can get help and advice. The forum  (http:// 
www.tronclub.com/forum/forum-4.html) is a bit sparse at 
the moment, but this is the first box, and I’m sure it’ll 
grow over time. 


Definitely worth it, in my opinion, and I look forward to 
the next box. 


Site: http://www.tronclub.com 


Chrome 
by 


Since the Chrome OS is so streamlined and minimal, apps 
and extensions are needed. The Google Ecosphere 
improves with these little programs that operate in the 
browser: 


* An app can be defined as software that has a 
dedicated user interface but it is simpler in nature 
than a typical desktop program. 

* An extension is a program that provides 
functionality, but has no or little dedicated user 
interface. 


Both of these programs operate within the browser. Apps 
will stay locally on the SSD. Extensions are tethered to 
your Gmail account and will appear on any Chrome 
browser. 


Since we use Linux, we naturally look for the free app or 
extension. However caution is needed when choosing 
apps or extensions. Oftentimes, you trade your online 
privacy for “free apps or extensions.” So, in that sense, 
they are not free. You can add apps and extensions only 
through the Chrome Web Store. Some of these programs 
will work offline, but not all. 


Let’s take a look at how we add an app or extension to the 
Chrome OS. The easiest way is to access the Chrome Web 
Store via https://chrome.google.com/webstore/category/ 
apps?utm_source = chrome-ntp-icon. 
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Once you are at the webstore you can query the type of 
extension or app needed. Let’s start with an example. I 
entered grammar in the search bar. A list of apps and 
extensions populated on the screen. I chose Grammarly 
extension based on the high number of positive reviews. 
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However it turns out Grammarly does not work with 
Google Docs! I wanted this extension to interact with 
Google Docs. So I choose to remove. The best way to 
remove this app is by going through the menu in the 
Chrome Browser selecting more tools and_ then 
extensions.. The extension list will populate. I then clicked 
the trash can by Grammarly. I then added the After the 
Deadline extension from the webstore. 
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The apps and extensions will detail the interaction level it 
will have on the Chrome OS. I have varying apps on my 
Chromebook to improve my productivity. I have more 
extensions than apps. The Chrome Show suggested One 
Click Extension Manager as a means of corralling the 


various apps at a time. I find this extension manager 
extremely useful. 


The authors of the apps or extensions have an interface to 
help resolve issues online in the reviews section. However 
not all authors respond to this feature. That is why I tend 
to use the more popular and reviewed programs in the 
app store. Occasionally it would be worthwhile to pay for 
an extension or app if it offers better functionality. 
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Next month I will look into maintaining online privacy 
with a Chromebook and the varying methods to ensure it. 
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Write For Full Circle Magazine 


Guidelines 


The single rule for an article is that it must somehow be 
linked to Ubuntu or one of its many derivatives— 
Kubuntu, Xubuntu, Lubuntu, etc. 


Write your article in whichever software you choose—I 
would recommend LibreOffice. But, please spell and 
grammar-check it! 


The Official Full Circle Style Guide can be read at: http:// 
url.fullcirclemagazine.org/75d471 


Please read this document before submitting an article. 
Follow the guidelines and you will have a much better 
chance of seeing your article in Full Circle. 


Writing 

There is no word limit for articles, but be advised that 
long articles may be split across several issues. In your 
article, please indicate where you would like a particular 


image to be. Please do not use any formatting in your 
document. 


Images 


Images should be no wider than 800 pixels, in JPG 
format, and use low compression. 


When you are ready to submit your article, please email it 


to: articles@fullcirclemagazine.org 
Non-English Writers 


If your native language is not English, don't worry. Write 
your article, and one of the proofreaders will read it for 
you and correct any grammatical or spelling errors. Not 
only are you helping the magazine and the community, 
but we'll help you with your English! 


FOR REVIEWS: 


Games/Applications 

When reviewing games/applications, please state clearly: 
* title of the game 

* who makes the game 

* is it free, or a paid download? 

* where to get it from (give download/homepage URL) 

* is it Linux native, or did you use Wine? 

* your marks out of five 

*a summary — with positive and negative points 


Hardware 

When reviewing hardware, please state clearly: 

* make and model of the hardware 

* what category would you put this hardware into? 

* any glitches that you had while using the hardware? 
* easy to get the hardware working in Linux? 

* did you have to use Windows drivers? 

* marks out of five 

* a summary — with positive and negative points 


You don't need to be an expert to write an article — write 
about the games, applications and hardware that you use 
every day. 


Basic Drupal 7 install on Ubuntu Server 
14.04 


Charles McColm 


This article is an updated version of some notes I made 
years ago about installing Drupal on Ubuntu Server. 


From the Drupal website: “Drupal is a free software 
package that allows you to easily organize, manage and 
publish your content, with an endless variety of 
customization.” Drupal, Wordpress, and Joomla are 
among the most popular web content management 
systems. Drupal is very modular compared to other 
content management systems. Wordpress tends to include 
a lot of features right off the initial install whereas Drupal 
is more of a ‘start small and tailor to your needs’ system. 


I have a habit of forgetting tasks I don’t do everyday. 
When it’s a task that requires quite a few steps, I like to 
document the steps because I find that instructions 
provided by projects sometimes skip steps or make 
assumptions I don’t know. Installing and configuring 
Apache alone can be quite a task, particularly if you’re 
setting up multiple domains or have special library 
requirements. Add the complexity of learning MySQL 
(many people learn phpmyadmin) and things get a bit 
more challenging. 


For the purpose of this article, ’m assuming access to the 
command line of a fresh install of Ubuntu Server 14.04. 


Step #1 - Update Ubuntu Server: 


sudo apt-get update 
sudo apt-get dist-—upgrade 


Step #2 - Install Apache, MySQL, PHP, and some basic 
PHP libraries: 


sudo apt-get install apache2 mysql-server php5 php5-mysql php5-gd 


Several other dependencies are automatically added when 
you install Apache, MySQL and the basic PHP libraries. 


During the install process, you'll be asked to enter a 
password for the root user to access MySQL databases. 
The password you use should be long and complex, 
especially if you plan on exposing the site to the Internet 
(as opposed to Intranet). 


When the installation finishes you may notice a message 
similar to: “apache2 could not reliably determine the 
server’s fully qualified domain name, using 127.0.1.1. Set 
the ‘ServerName’ directive globally to suppress this 
message.” 


We need to set the fully qualified domain name (FQDN). 


Step #3 - Set the Fully Qualified Domain Name: 


The FQDN consists of 2 parts, the hostname of the 
computer running the server, and the domain name. 
There are a couple of ways you can solve the FQDN 
problem, the first is to set the FQDN with the 127.0.1.1 
IP. address in /etc/hosts (in this case my hostname is 
drupal8g). 
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The second, and preferred method is to set the 
ServerName directive in /etc/apache2/conf-available/ 
fqdn.conf and enable the configuration with the apache 
program a2enconf. First set the ServerName directive in / 
etc/apache2/conf-available/fqdn.conf: 


ServerName localhost 


Next we need to enable the configuration file. It’s 
important to note that the conf file must end in .conf. We 
can enable the configuration file with a2enconf: 


sudo a2enconf fqdn 


Lastly we need to reload Apache: 


sudo service apache2 reload 


Step #4 - Download and unpack Drupal and move it 
to /var/www/html: 


For the purpose of this article I’m assuming you’re just 
running a single website on a single server. If you plan on 
running multiple sites on the server your setup will be a 
little different. For multi-site setups, you’ll need to know a 
bit about modifying apache configuration files in /etc/ 
apache2/sites-available. For this single site, we’re just 
going to use the already enabled 000-default.conf file 


which points to /var/www/html for the web server. 


The simplest method to download Drupal is to use wget. 
Version 7.39 is the current stable version at the time of 
this article. 


wget http://ftp.drupal.org/files/projects/drupal-7.39.tar.gz 


Next unpack Drupal 7: 


bee oweart arupel 7 <3 9 bar. gz 


At this step, you may want to change into the 
drupal-7.39/ directory and read the INSTALL and 
README files. If you’re using PostgreSQL instead of 
MySQL, be sure to read the INSTALL.pgsql.txt file. If you 
run into problems installing with MySQL, you might also 
want to have a look at the INSTALL.mysql.txt file. The 
INSTALL.txt file gives an overview of an_ overall 
installation. If you’ve changed into the drupal-7.39 
directory, make sure you’re above it for the next step, 
moving the drupal folders to /var/www/html: 


sudo mv drupal-7.39/* /var/www/html 
sudo mv drupal-7.39/.htaccess /var/www/html 


If your server is also your desktop machine (generally not 
a great idea), you can check it out in a web browser by 
typing http://localhost/ into the web browser. From 
another Linux machine, you can type in the hostname of 
your web server http://drupal/. Despite adding the drupal 
files to /var/www/html, we still get the apache splash 
screen because there’s an index.html file in the /var/ 
www/html folder. Getting rid of this file will display the 
drupal installation when you navigate to the hostname/ 
FQDN. 


Step #5 - Create the MySQL database to hold the 
drupal files: 


Before we can set drupal up, it needs a database to write 
to. MySQL is one of the most common databases in the 
world and a great choice here. You can use a web 
interface to mysql, but I’ve always preferred to just run 
mysql itself and issue commands: 


end with ; or \g. 
04.1 (Ubuntu) 
its affiliates. All rights reserved. 


egistered trademark of Oracle Corporation and/or its 
‘ther names may be trademarks of their respective 


Type ‘help;:’ or ‘Nh’ for help. Type '\c’ to clear the current input statement. 


mysgq 1> 


inguyisxepll =ibi aceyojie =o) 


The -u switch tells mysql the user is the root user. The -p 
switch is used for passing the password, but if you don’t 
put one after the -p, it will prompt you for the password 
(a better idea if you work with other people around). A 
tip worth remembering is that mysql commands are 
terminated with a semicolon. At the mysql> prompt, 
create a database with whatever name you want, I tend to 
use d_sitename: 


create database d_test; 


If the command is successful, you’ll see a “Query OK, 1 
row affected” message. To see what other databases exist, 
use the show databases; command. Next we want to grant 
rights to access the database to a user who exists on the 
system. In my Ubuntu installation I used the username 
charles. The proper rights for the database can be found 
in the INSTALL.mysq]l.txt file. 


grant select, insert, update, delete, create, drop, index, alter, creat 


Don’t forget the .* after your database name. I did this 
several times when I was first starting to use mysql and 
couldn’t figure out why I kept getting an error. 


Next quit mysql by issuing the quit; command. If you run 
Is -al on the files in /var/www/html, you’ll notice they all 
have your username and group attached to them. Before 
installing drupal we want to change the group to the 
www-data group: 


sudo chown -R :www-data * 
sudo chown :www-data .htaccess 


If you want to specify a different username, specify it 
before the colon. For example: 


sudo chown -R charles:www-data * 


Be a bit careful about the files you’re changing 
permissions on. Make sure you’re in the path where your 
drupal files are. Drupal also needs to be able to write to 
the configuration file in the sites/default directory, so 
temporary write permission needs to be given to this 
directory: 


sudo chmod atw sites/default 


It’s important that this write permission be removed 
immediately after the installation or your server could get 
hacked! 


Drupal has a default.settings.php file in the sites/default 
directory that needs to be copied as settings.php. 


sudo cp sites/default/default.settings.php sites/default/settings.php 


(Note: the above command is all one line with a space 
between default.settings.php and sites/default/ 
settings.php) The settings.php file also must be writeable, 
and as with the sites/default directory, you should remove 
write permission after the installation. 


sudo chmod at+w sites/default/settings.php 


We’re almost ready to install drupal, there’s one more step 
we need before running the installation PHP script, 
enabling modrewrite. Modrewrite is an apache module 
that enables rewriting of urls so they look more clean. For 
example: Instead of your browser going to yoursite.com/ 
en/ref=assstl?, the web site points to yoursite.com/ 
example. To accomplish this type: 


sudo a2enmod rewrite 


Because mod_rewrite affects apache a restart is needed. 


sudo service apache2 restart 


Step #6 - Start the drupal install from a browser: 


The next step is to run the install.php file from a browser. 
If you’ve eliminated the index.html (not index.php) file, 
you should be redirected to the install.php file when you 
open the URL to your web server. I use Linux almost 
exclusively most of the time, but if you’re using a 
Windows machine to access your Linux web server, you 
may need to tell the Windows machine hosts file which 
I.P. address your Linux server resides on. On Windows, 
this file is C:\WINDOWS\system32\drivers\etc\hosts. On 
Ubuntu/Xubuntu, just enter your server URL into the 
browser. For example: http://drupal/ 


wreovotneo = 


Choose Standard Installation. English is the built-in 
language. Other languages can be added and there’s a link 
on how to do this on the installation page. The 
INSTALL.txt file covers installing other languages. For the 
moment click Save and Continue. 


If all the steps above have been completed correctly you'll 
see the Drupal database configuration screen. If write 
permission is not set on sites/default, or the settings.php 
file is missing from that directory, you’ll see an error 
message indicating so. 


Enter the database information from the earlier database 


you created into the database configuration page and 
click Save and Continue. 


woovsn os 


At this point Drupal will write the settings to the 
settings.php config file. We can now safely remove write 


permissions on this file and the sites/default directory: 


sudo chmod go-w sites/default/settings.php 
sudo chmod go-w sites/default/ 


The last step in setting up our Drupal installation is to 
enter your site information, including the name of your 
site, the site e-mail address (the address that will send 
mail to users from), your admin username/password and 
admin email address (called the site maintenance 
account), the server’s default country and time-zone, and 
whether or not you want to check for drupal updates 
automatically and receive email notifications of releases 
(a good idea). Click Save and Continue. 


Now you can proceed to log into your newly created 
Drupal site. 


¢ : . eoosneet 


Welcome to Drupal Test site 


This article has covered a basic installation of Drupal. 
Some of the concepts, such as creating a mySQL database, 
enabling mod_rewrite, installing PHP and PHP libraries 
will be useful installing other content management 
systems and wikis. It’s a complex process and although 
the INSTALL.txt files are available, I always found I 
needed to write down my own steps to remember the 


steps I got stuck on. 


If you get stuck during the process of installing Drupal, 
there are several good resources: 


The INSTALL.txt and README.txt files in the 
drupal-7.39/ directory 

Drupal’s Quick Install for Beginners: https:// 
www.drupal.org/documentation/install/beginners 
Apache virtual _hosts examples: http:// 
httpd.apache.org/docs/2.2/vhosts/examples.html 
2bits.com - Besides having developed more than 30 
modules for Drupal and being a server tuning 
company, 2bits has a lot of useful articles on Drupal 
- http://2bits.com/contents/articles 


Charles McColm is the author of Instant XBMC, a short 
book on installing and configuring XBMCbuntu (a *buntu 
+XBMC distribution) - still relevant for Kodi, and the 
project manager of a_ not-for-profit computer reuse 
project. When not building PCs, removing malware, and 
encouraging people to use GNU/Linux, Charles works on 
reinventing his blog at http://www.charlesmccolm.com/. 


Aquaris E4.5 and E5 Ubuntu Editions 
debut in India with Snapdeal 


The Aquaris E4.5 and Aquaris E5 Ubuntu Editions are to 
be sold through Indian online marketplace, Snapdeal. It 
marks the inaugural launch of Ubuntu phone in India 
following a successful rollout of the Aquaris E4.5 and 
Aquaris E5 Ubuntu Editions in Europe. Phones will come 
preloaded with a number of scopes developed specifically 
for the Indian market. 


The Aquaris E4.5 and Aquaris E5 Ubuntu Edition handsets 
are set to launch in India through Snapdeal, India’s largest 
online marketplace. This follows on from two successful 
Aquaris Ubuntu Edition handsets launched in Europe 
earlier this year; the Aquaris E4.5 in February, and the 
Aquaris E5 in June. The devices will be available for 
purchase from Snapdeal by the end of August at a price of 
Rs 11,999 for the Aquaris E4.5 and Rs 13,499 for the 


Aquaris E5. 


BQ goes global with Ubuntu 


The successful European launches of the BQ Aquaris E4.5 
Ubuntu Edition, and its slightly larger brother, the BQ 
Aquaris E5 HD Ubuntu Edition, have seen the appetite for 
Ubuntu phones grow the world over. 


As a result of this latent demand, BQ has created an 
Ubuntu global store where anyone can now buy an 
Aquaris Ubuntu Edition handset. We’re really excited by 
this move and BQ’s clear commitment to ensuring more of 
our fans worldwide get their hands on these devices. Visit 
BQ’s global store at: http://store.bq.com/gl/ 


We know (and BQ has acknowledged) that network 
frequency, and mobile operator compatibility in some 
countries, such as the US, will limit some of the handset 
and OS functionality that European users are presently 
enjoying. However, this worldwide launch will provide 
the opportunity for our fans across the globe to get a taste 
of the Ubuntu OS and experience it for themselves on a 
great range of BQ devices. 


My Ubuntu Install Disaster 
Jim Dyer 


My goal was to install Ubuntu Linux 14.04, but then 
Windows 8.1 and related changes ruined my good plan. 


In late July of 2015, I got the idea to replace my oldest 
desktop computer, so I purchased a refurbished desktop at 
my favorite local computer store. The computer came 
with Windows 8.1 installed, and my plan was to replace 
that with Ubuntu 14.04 LTS as I had previously done 
several times from Windows XP on two desktops and my 
Acer Netbook. Those earlier experiences had learning 
curves, but nothing that was a serious problem. However, 
this time, trying to install Ubuntu to replace the Windows 
8.1 could be called very frustrating at best and a disaster 
at worst. 


I started the process a few days before leaving on a two- 
week vacation trip. At first I could not even get Ubuntu to 
install to the HD of the new computer. Some agony and 
more reading, and a few things that I failed to record, got 
me to the point where Windows 8.1 was gone and Ubuntu 
was installed. Along the way, I used GParted and deleted 
or modified partitions and, as noted above, did a few 
things that I unfortunately did not record. Installed - yes, 
boot into Ubuntu - NO. 


After hitting the “it will not boot” wall, I set it aside and 
left for vacation. Sadly, my brain continued to rehash the 
frustration as I traveled. I had only my Kindle Fire tablet 
with me so it got some workout searching Google for 
information regarding the problem I had encountered. I 
read much then and more online after returning home. 


Once home, I turned to solving the ‘will not boot’ 


problem. Again, some frustration and agony, but no 
success. At that point, my brain asked “why don’t you 
return this computer and get one that has Windows 7 
installed?”. That thought came from reading about 
Windows 8, Secure Boot and UEFI. You can search those 
things on Google as I did. I took my brain’s advice, got a 
refurbished computer with Windows 7, installed Ubuntu 
14.04 LTS from a USB drive with no problem, and once 
more became a happy Ubuntu user. 


In hindsight it is not clear to me if I created part of my 
problem, but I do not think I did. After my reading, 
talking at the computer store and reading/emailing the 
computer manufacturer Support, I was still confused. 
Certainly Windows 8 changed the install/boot process, 
but there was some info that said the computer lacked 
basic support for Linux drivers and could not run Linux as 
an OS. Did not sound right to me, but I was wanting to 
get this frustrating problem behind me so I pressed on to 
success with the Windows 7 computer as noted above. 


Jim Dyer is a retired Chemical Engineer who has evolved 
through DOS, Windows 95/98/XP, and Mac OS 6....X to 
his current Ubuntu user status. 


LETTERS 
Skype 


In issue 98 you have the question "I have heard that 
Skype is available for Ubuntu. How should I install it?" 


Please note that while Skype is technically available for 
Linux, Skype (or rather Microsoft - since they own it now) 
has stopped supporting Linux, and a lot of additional 
features (like screenshare) don't work (in case of a multi- 
participant call) or have very poor quality (in a one-on- 
one call) when using Linux (compared to Windows / 
Mac). 


People should look for an alternative (Google Hangouts 
works nicely). I didn't try Jitsy yet. 


Attila 


Multiple Passwords Script 


I know FCM #91 is not new but I just have read it. I have 
a few remarks about the article 'HowTo - Multiple 
Passwords With A Script’. 


First of all, I would like to know the principles of 
publishing articles. I ask it because of my ambivalent 
feelings about the named article. Although it could have 
been a good howto for newbies, it can be more dangerous 
than useful. Let me explain: It makes no sense to write a 
script to encrypt a text file which contains passwords. 
There are a lot of other ways to secure our passwords. Eg: 
password manager. 


If we do this anyway, we should not store the encrypted 


file on our Desktop and the logs of the script in our home 
directory, I think. 


The author of this article mentioned that he uses this 
homemade encryption script in business, too. The average 
reader and user might conclude that this encryption 
method is safe because it was described by an expert. In 
my opinion using this script can give a false sense of 
security to the readers and users. 


In addition, this script is unchecked, it's from an author 
who is possibly not known by any reader. Full Circle 
Magazine is a great place to inform people about IT- 
security. To download and use a script by an unknown 
person (which is maybe downloaded from untrusted 
websites) is not safe. I'm afraid that publishing this howto 
was not a good idea at all. Maybe I'm wrong but I think 
that Full Circle Magazine has a task to teach the readers 
about careful computer usage. Publishing an article with a 
script to do something that can be done by other, more 
secure, ways is not logical. There are a lot of useful scripts 
published by Full Circle Magazine, but this is not one of 
them. 


So, because of my described feelings I wish to know on 
what basis you decide to accept and publish an article. 


Sorry for the long letter, I just wanted to write about my 
feelings about publishing this howto. 


Vivien 


Ronnie says: By publishing the articles we have to assume 
that the writer has checked his or her articles for errors 
(either grammatical or technical). We're a bunch of volunteers 
and aren't experts in everything. And, it goes without saying, 
that if someone runs a script (or tries anything) that we print, 
then it’s at their own peril. 


Download All The Things! 


I remember seeing an article about a script to allow 
downloading of all past issues. Can you tell me how to get 
that? 


Boudi 


Ronnie says: Open a terminal and enter these commands 
one at a time: 


cd ~/Downloads 

wget www.liedler.at/dl/dl_fcm_gui.py 
chmod +x dl_fcm_gui.py 
./d1l_fcm_gui.py 


Up should pop a GUI that will let you choose which issues to 
download. 


Q&A 
By Gord Campbell 


QI messed up my ~/.bashrc file, how do I get a new 
standard one? 


A (Thanks to steeldriver in the Ubuntu Forums) 
You can copy it from the /etc/skel/ directory. 


Q Can I use one of the recent Nvidia cards with Ubuntu? 


A Yes, see this thread: http://ubuntuforums.org/ 
showthread.php?t = 2263316 (Thanks to jempa333 
in the Ubuntu Forums). 


Q I use the USB serial port to connect to routers, but 
every time it reboots I have to change permission for / 
dev/ttyUSBO and /dev/ttySO. How can I change this 
permanently so it has chmod 777 on reboot? 


A (Thanks to SeijiSensei in the Ubuntu Forums) 
Add the command to the file /etc/rc.local, a script 
that runs after everything else that starts at boot. 
rc.local runs with root privileges, so you don't 
need sudo, just: 


chmod 777 /dev/ttySO 
chmod 777 /dev/tty/USBO 


Q Netflix used to work perfectly in Chrome, but I haven't 
been able to get it to play movies for about the past 
month. When I go to the Netflix website, it loads 
normally — I can browse through programs etc — but if I 
attempt to play any video, I just see a still from the video 
(without the spinning red circle that shows it's loading) 
and, after a minute, a black screen appears that says 
"Whoops--something went wrong" with error code 


M7083-1013. 


A (Thanks to monkeybrain20122 in the Ubuntu 
Forums) Probably your profile is corrupted. Close 
Chrome. Open the file manager at your home. 
Choose ‘show hidden files’ from the menu or press 
ctrl + h. Then locate the hidden directory .config 
(note the '.'), open it and rename the subfolder 
google-chrome to something like google-chrome- 
bak. Now start Chrome and see if it works. 


Top questions at Askubuntu 


Can someone explain tilde usage? 
http://goo.gl/PUudGJ 


Is there any Ubuntu 14.04 theme to make it look 
like Windows 10? 
http://goo.g1/t82dtg 


Alert when terminal program finishes running? [on 
hold] 
http://goo.gl/OMN25E 


Which command should I use to open an mp3 file? 
http://goo.gl/1L8p1d 


Why do I need the x permission to cd into a 
directory? 
http://goo.gl/ihnMWI 


How to get a full size of directory without listing the 
files/dir within? 
http://goo.gl/KuRczJ 


Shell script If syntax error 
http://goo.gl/ynHh61 


* What version is this Live CD / Live USB? 
http://goo.gl/xzOqJQ 


* How to make it so that a file can only be executed 
by root, but not as root? 
http://goo.gl/rtm60i 


Tips and Techniques 
Private folder sharing 


When I try a new distro or version of Linux, I always set 
up a folder which is shared over the network, and access 
existing shared folders on other computers. I always make 
it wide-open, with no security, and it always works 
without any command-line effort, or editing configuration 
files. The network has computers running several Ubuntu 
variants and some Windows. Then the real world came 
calling. 


I needed to set up a production-environment server with 
about 20 private shared folders, to be used for personal 
backups. So Sally, Rebecca and John would each have a 
folder where they could back up their systems, and they 
could not see each other's backups. 


The chosen operating system is Xubuntu 15.04, and I got 
it to the point where it kind of works. From other 
Xubuntu or Linux Mint systems, everything just worked. 
From Windows, not so much. The server didn't even 
appear in Windows’ Network file manager, although it 
was always accessible by IP address. Then, with nothing 
changing, the server appeared, and I could set up the 
shared folder as a drive in Windows. However, when I 
tried to run a lengthy backup, the drive would disappear 
again, and the backup would fail. 


I'm still working on it, and I hope to give a more positive 
report next month. 


Sensible Security: The Schneier Model 
Kevin O’Brien 


Back in 2001, there was an incident on September 11 that 
lead many people to go “OMG! We are doomed! We must 
increase security! Do whatever it takes!” And the NSA was 
happy to oblige. On 7/7/05 an attack in London added to 
the frenzy. I think it is fair to say that these security 
agencies felt they were given a mandate to “do anything 
as long as it stops the attacks,” and thus was the 
overwhelming attack on privacy moved up a whole level. 
To be clear, security agencies are always pushing the 
limits, it is in their DNA. And politicians have learned that 
you never lose votes by insisting on stronger security and 
appearing “tough.” 


But the reality is that security is never 100%, and the 
higher the level of security, the greater the costs in terms 
of our privacy and liberty. And it is also the case that total 
insistence on liberty and privacy would cause your 
security to go down as well, so you really should not 
adopt any simple-minded approach to this problem. In 
general, as you add layers of security, each added layer 
gives you less benefit. Some simple security steps can give 
you a lot, but as you add more and more, the added 
benefit drops, and we call this the Law of Diminishing 
Returns. By the same token, each added measure extracts 
an ever-increasing cost in terms of the loss of liberty and 
privacy. Conceptually, you could draw a couple of curves, 
one rising (the costs) and the other falling (the benefits), 
and look for where the curves cross to determine the 
optimum level of security that balances the costs and 
benefits, but in practice it is not that simple. Measuring 
these costs and benefits is tricky, and there is no simple 
equation for either curve. Nonetheless, the balance does 


need to be struck. 


In the wake of the 9/11 attacks, Bruce Schneier published 
a book called Beyond Fear: Thinking Sensibly About 
Security in an Uncertain World (2003). In this book he 
shows that hysteria is not a good approach to security, 
and that you need to ask yourself some questions to see 
what the cost vs. benefit calculation looks like for you. I 
am going to draw on his model to talk about security as 
we are discussing it in this series. 


There is an old joke about what constitutes a secure 
computer. The answer is that it has to be locked in a 
vault, with no network connection, and no power 
connection, and even then you need to worry about who 
can access the vault. It is a joke, of course, because no one 
would ever do this. We use computers and the Internet 
because of the benefits they give us, and having a 
computer in a vault is just a waste of money. We accept a 
certain degree of risk because that is the only way to get 
the benefits we want. 


Schneier’s Five-Step Process 


For any security measure you are contemplating, you 
need to have a clear-eyed, rational look at the costs and 
benefits, and Schneier offers a Five-Step Process to 
accomplish this, This is a series of questions that you need 
to ask in order to figure out if this particular measure 
makes any sense: 


* What assets are you trying to protect? This is what 
defines the initial problem. Any proposed 
countermeasure needs to specifically protect these 
assets. You need to understand why these assets are 
valuable, how they work, and what are attackers 
going after and why. 

* What are the risks against these assets? To do this 


you need to analyze who threatens the assets, what 
their goals are, and how they might try to attack 
your assets to achieve those goals. You need to be 
on the lookout for how changes in technology might 
affect this analysis. 

* How well does the security solution mitigate the 
risks? To answer this, you need to understand both 
how the countermeasure will protect the asset when 
it works properly, but also take into account what 
happens when it fails. No security measure is 100% 
foolproof, and every one will fail at some point in 
some circumstances. A fragile system fails badly, a 
resilient system handles failure well. A security 
measure that is slightly less effective under ideal 
conditions, but which handles failure much better, 
can be the optimum choice. And a measure that 
guards against one risk may increase vulnerability 
somewhere else. And you really need to watch out 
for False Positive vs. False Negative trade-offs. It is a 
truism that any set of measures designed to reduce 
the number of false negatives will increase the 
number of false positives, and vice-versa. 

* What other risks does the security solution cause? 
Security countermeasures always interact with each 
other, and the rule is that all _ security 
countermeasures cause additional security risks. 

* What trade-offs does the security solution require? 
Every security countermeasure affects everything 
else in the system. It affects the functionality of the 
assets being protected, it affects all related or 
connected systems. And they all have a cost, 
frequently (but not always) financial, but also in 
terms of usability, convenience, and freedom. 


And going through this process once is not the end. You 
need to re-evaluate your choices as systems evolve, as 
technology changes, etc. 


Example: Passwords 


I have a cartoon on the wall of my cubicle that shows an 
alert box that says “Password must contain an uppercase 
letter, a punctuation mark, a 3-digit prime number, and a 
Sanskrit hieroglyph”. We’ve all encountered this, and it 
does get frustrating. This is a humorous take on 
something that is an accepted best practice. I recall a 
story about a fellow who worked at a company that 
insisted he regularly change his password, and would also 
remember the 8 previous passwords and not let him use 
any of them again. But he liked the one he had, so he 
spent a few minutes changing his password 9 times in a 
row, the last time being back to his favored password. 
Was he a threat to security, or was the corporate policy 
misguided? Let’s try Bruce’s model and see where we get. 


* What assets is the company trying to protect? I think 
this has several possible answers. The company may 
want to prevent unauthorized access to corporate 
data on its network. Or the company wants to 
prevent unauthorized use of its resources, possibly 
with legal implications. And the company may be 
concerned to prevent damage to its network. All of 
these are good reasons to try and control who has 
access to this asset, and to protect it. But knowing 
which of these is being targeted may matter when 
we get to trade-offs and effectiveness of the 
proposed countermeasures. For now, let’s assume 
the primary interest is in preventing unauthorized 
access to the data, such as credit card numbers on 
an e-commerce site. 

* What are the risks against these assets? Well if we 
are talking about credit card numbers, the risk is 
that criminals could get their hands on these 
numbers. From the company’s standpoint, though, 
the risk is what can happen to them if this occurs. 
Will this cause them to assume financial penalties? 


Will the CEO be hauled in front of legislative 
committees? Will their insurance premiums rise as a 
result? This is the sort of thing companies really care 
about. And when you understand this, you begin to 
see why companies all adopt the same policies. 
When people talk about “Best Practices”, you should 
not assume that anyone has actually determined in a 
rational manner what the best practices should be. It 
only means that they are “protected” in some sense 
when the things go wrong. After all, they followed 
the industry “best practices”. The biggest failure of 
security is when companies or organizations just 
apply a standard set of rules instead of creating a 
process of security. I see this criticized constantly in 
my daily newsletter from the SANS Institute. 

How well does the security solution mitigate the 
risks? This becomes a question of whether forcing 
people to change their passwords frequently is a 
significantly effective measure in preventing 
unauthorized access to computer networks. And 
here is where things really start to break down. It is 
very difficult to come up with many examples of 
cases where a password in use for a long time leads 
to unauthorized access. That is simply not how these 
things work. We know that the majority of these 
cases derive from one of two problems: social 
engineering to get people to give up their password, 
and malware that people manage to get on their 
computer one way or another. I suppose you could 
make an argument that forcing people to frequently 
change passwords might in rare cases actually do 
some good, but there is no way to say that this is in 
general an_ effective countermeasure against 
unauthorized access. 

What other risks does the security solution cause? 
There are several possible risks that come out of 
this. First, since all security measures require a 
variety of resources (and people’s time and attention 


is one of those resources), emphasizing one security 
measure may take resources away from more 
effective measures that don’t get sufficient attention. 
But there are also risks from how people act in 
response to this policy. In the ideal world of the 
security department, each person with access would 
choose a long, complicated password each time, 
chosen for maximum entropy, and then memorized 
but never written down. Sadly, for the security 
department, they have to deal with actual human 
beings, who do not do any of these things. Most 
people at the very least consider this an annoyance. 
Some may actively subvert the system, like the 
fellow in our story who changed his password 9 
times in a row to get back to the one he liked. But 
even without this type of subversion, we know what 
people will do. If you let them, they will choose 
something that is easy to remember as their first 
attempt, and that means they will most likely choose 
a password that can easily be cracked in a dictionary 
attack. If you instead insist that each password 
contain letters, numbers, upper and lower case, a 
Sanskrit hieroglyph, and two squirrel noises, they 
will write it down, probably on a yellow sticky note 
attached to their monitor. If the person in question 
is a top level executive, it gets even worse, because 
they won’t put up with the BS ordinary worker bees 
have to tolerate. 

What trade-offs does the security solution require? 
This policy causes a major impact on usability and 
convenience, and all of this for a policy that we saw 
above actually accomplishes very little. In the 
majority of organizations, the IT department is 
viewed with a certain amount of hostility, and this is 
part of it. In addition, anyone in an IT Help Desk 
can tell you that they get a lot of calls from people 
who cannot login because they forgot their 
password, which is a natural consequence of forcing 


people to keep changing it. 
Bottom Line 


So what does all of this mean in the final analysis? I think 
it means that you need to carefully consider which 
measures are actually worth taking. And this is, at least in 
part, a cost vs. benefit analysis. For instance, as I write 
this, the Heartbleed vulnerability is in the news a good 
deal, and I got to hear Bruce Schneier discuss how people 
should react. And he did not say “OMG! Change all of 
your passwords right now!” He said you should assess the 
case. If it is your password to login to your bank, that is 
probably something you want to change. But if it was 
some social network you access once every two weeks, 
you needn’t bother. And that seems reasonable. 


And as another example, although I have discussed how 
to encrypt e-mails and digitally sign them, that does not 
mean I open up GPG every time I send an e-mail. It is 
something of a pain in the posterior to do, and I use it 
judiciously. I don’t see the point in digitally signing every 
email when a lot of it is just stupid stuff anyway. 


Three Final Rules from Bruce Schneier 


We will finish this discussion with Bruce’s final three rules 
from Beyond Fear: 


* Risk Demystification: You need to take the time to 
understand what the actual risk is, and understand 
just how’ effective any proposed _ security 
countermeasure would be. There will always be a 
trade-off. If the risk is low, and countermeasure not 
particularly effective, why are you doing this? 
Saying “we must do everything in our power to 
prevent...” a risk that is unlikely, and where the 
countermeasures are not likely to work, is how you 
get to what Snowden revealed. 


* Secrecy Demystification: Secrecy is the enemy of 
security. Security can only happen when problems 
are discussed, not when discussions are forbidden. 
Secrecy will always break down at some point. This 
is the failure mode of Security by Obscurity. Most 
often, secrecy is used to cover up incompetence or 
malfeasance. 

* Agenda Demystification: People have agendas, and 
will often use security as an excuse for something 
that is not primarily a security measure. And 
emotions can lead people to make irrational trade- 
offs. 


PENSADOR LOUCO 


THE ASTRONAUT THEN TRIED TO IMPRESS 
THEM WITH OUR TECHNOLOGY. IT WAS 
THE FIRST STEP TOWARDS COLONIZATION. 


JAKE LANDED ON A NEW PLANET AND 
MET THE ALIEN INHABITANTS. THEY 
LOOKED HARMLESS ENOUGH. 
TRAVELING AT THE SPEED OF 
20000 CRASHES PER MINUTE... 


‘T SEE. STANDARD SPEED 


HE DECIDED TO COME BACK AND 
HE'S ACTING KIND OF APOCALYPTIC 
Now. 


NOT REALLY, SIR, THE ALIEN SAID THEY 
DIDN'T NEED ANYTHING FROM US 
"EARTHLINGS" HE SAID THEY WERE 
ALREADY EVOLVED INTO A FREE AND 
PERFECT SOCIETY. HE TOLD JAKE HE 
WAS SORRY WE'RE SO PRE HISTORIC. 
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Linux Loopback 2 
by 


The 1980’s saw an onslaught of malicious viruses as a 
response to increased home computers. As a teen, Richard 
Skrenta wrote the Elk Cloner that targeted Apple 
computers in 1981. It was the first wide-scale virus 
transmitted by disk that worked from the boot sector. 
Infected Apple computers would then transmit this virus 
on to a clean disk. Elk Cloner wipes the screen and would 
display a simple poem. 


~ CLONER: 


‘ERS 


In 1983 Frederick Cohen began using the term virus to 
describe programs like Rabbit and Creeper. These 
programs worked very much like a real life virus. In 1986, 
the first IBM PC virus was Brain Boot that originated out 
of Pakistan. In 1987 six more viruses populated: Cascade, 
Jerusalem, SCA, Vienna, Lehigh, and Christmas Tree. 
These viruses were boot sector viruses aimed at crippling 
the executable files on the hard drive. 


In the 1990’s the viruses became more complicated, 
moving from the boot sector. The first polymorphic virus 
named 1260 is created by Mark Washburn. This virus 
used encryption code and the Vienna as a source. 


The media painted the Michelangelo virus as being the 
digital end of times in 1992. This virus was supposed to 
wipe out over a million hard drives. In reality, the 
damage from Michelangelo was over-estimated. By the 
end of 1990’s, over 14 various viruses arose in the digital 
world. The commercial development of antiviral programs 
started. The increased popularity of the internet helped 
spread viral infection rates. Over 30 plus viruses were 
generated from 2000 to 2005. Luckily these viruses 
targeted the Windows OS. However let’s review some of 
the Linux viruses. 


| Computer virus hits, but termed a dud 
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The first Linux virus arose in 1996, and was Stoag. It 
exploited holes in the kernel and infected executable 
binary files. Bliss rose a year later, it was written to prove 
that Linux is not virus-proof, and it also affected 
executable binary files. At the end of 1999, Vit developed 
as across platform OS infector. It also affected executable 
binary files. 


At the start of the new century, a number of harmless 
non-memory resident parasitic viruses developed: 
Winter.341, Zip Worm, Satyr, Rike, and Ramen. By the 
mid 2000’s, three aggressive Linux viruses were produced: 
Badbunny, Kaiten, and Koobface. Badbunny would infect 
via an openoffice document file format, and display a 
lewd picture. Kaiten allowed for backdoor access to a 
Linux platform. Koobface is spread by social networks 
aimed at gathering login information. 


Many experts agree that Linux is not impervious to 
viruses. However the requirement for root access on many 
distros diminishes the ability of viral infection on the hard 
drive. The biggest threat to Linux users is social 
engineering. 


Retro Video Game Console Emulators 
using Ubuntu 


Written by Joseph Michaels 


An Ubuntu user since 2007, I consider myself a long-time 
user. In computer years, using just one operating system 
at home for eight years is a long time. Before that I was 
an avid Macintosh proponent for many years. The 
moment I installed my first Linux distro, called Ubuntu, I 
was simply amazed at how fast it made an old computer 
run. I was hooked. Never again would I dish out an 
outrageous amount of money for a name-brand computer 
that ran a solid operating system — which was Apple's OS 
X. Now I was empowered to find a used computer, at a 
fraction of the cost, install Ubuntu on it, and I was gold. 
Several times I even got free computers from a business 
that was replacing its 4 year-old Windows computers with 
new ones. The systems that were doomed for the dump 
found new life when I installed Ubuntu on them. 


A few years ago, I tried to run game console emulators on 
Ubuntu. At the time, the only emulators that were 
available, or would work, were the Windows emulators. 
So I used Wine to run those emulators. I was not a big fan 
of Wine, as it was hit or miss on which programs would 
work. Eventually, I removed Wine from my system. Years 
went by before I'd try emulation again. In fact, I didn't 
rediscover it again until about nine months ago. This 
time, I was quite delighted to find that several emulators, 
made just for Linux, worked very well on Ubuntu. 


Before I go any further, I'd like to do a bit of 
housekeeping. It's perfectly legal to download and own 
the emulators. However, it's the game roms that may still 
be protected by copyright laws. It is up to you to ensure 


that you are using the game roms legally in your country. 
There are oodles of articles on the internet concerning 
this, so I'll leave the Googling and reading up to you. The 
game roms can be found on the internet — I'll leave it at 
that. 


Below is a screenshot of the bottom left of my launcher. 
From top to bottom we have the emulators PCSX, Snes9x, 
bsnes, Kega Fusion, FCEUX, and GFCE. 
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PCSX is the PlayStation one (PS1) 32-bit emulator. It can 
be installed from the Ubuntu Software Center. From my 
experience, about half the game roms will work with this 
emulator. I mainly use this emulator to play sports games. 
There were so many sports games made for the PS1, that 
you'll easily find that more than enough games work for 
the sport you're interested in. Of course there are various 
other types of games available for the PS1 - from first 
person shooter games to platform games to whatever you 
desire. On my 1600x900 monitor, I set the PCSX to run in 
a 1360 x 768 window. You can play it at full-screen, but I 
like to keep access to my system, thus I play it in a 
window. 


I don't have a dedicated video card on my system, and 
that's not because I haven't tried them. In fact, I installed 
an Nvidia GT 610 with one gig of ram. After viewing the 
System Monitor for a while, I could tell that my Core 2 


Duo processors were being taxed more than before the 
card was installed. In fact, I was experiencing a slowdown 
in frames-per-second in some of my emulators because of 
it — so I sent that card back. I decided to try an older card 
for my system, and I got an Nvidia NVS 300 card that had 
500 megabytes of memory. It did better, but still some of 
my emulators were slowing down. So I returned the 
second card and decided to stick with the integrated video 
that my motherboard had built in. Both cards would have 
worked great for me if my goal was to play native Linux 
games. In fact, I downloaded 0 A.D., and that game 
worked very smoothly with either of the cards; it plays 
choppy without a card. But my gaming is all emulating, so 
I made the decision to go without a dedicated video card. 
The PCSX emulator has the option to use the OpenGL 
1.1.78 driver, and even my integrated video can do that, 
so I do use OpenGL with that emulator and it works fine. 
There's also the option to use the Xvideo driver, but my 
system won't play the roms right using that choice. The 
PCSX emulator will play more game roms if you get the 
PS1 bios file for it. It can be found on the internet, and 
that's all I'll say about that. 


The next emulator on my launcher is the Snes9x emulator. 
This has become my favorite emulator, even though it 
emulates a 16-bit system — the Super Nintendo console. I 
used to like PCSX best, but I've really enjoyed the Super 
Nintendo games the most in the past few months. Most 
emulators allow you to save state and load state — usually 
in a menu option, or by assigning them to keyboard keys. 
In addition to allowing this, Snes9x lets you assign those 
states to the gamepad controller you're using. So you can 
quickly save state while you're playing; if you die no 
problem, just click the load state button on your gamepad 
and give it another go. Being able to do this on the 
gamepad adds a most enjoyable element to playing 
platform games where you are trying to advance to the 
next level or beat a game boss. Some folks say it's 


cheating, or consider it an abuse of the save state and 
load state buttons when you beat a game this way, 
because that option wasn't available on the original 
consoles. I'm not such a purist, especially since this 
heightens my enjoyment of the games. 


Snes9x has the option of letting you choose the OpenGL 
driver, the Xvideo driver, or allowing the software scaler. 
I simply let the software run the game. The OpenGL is apt 
to slow down as my OpenGL is too ancient, and the 
Xvideo driver doesn't give vivid graphics. For screen 
resolution, I set the preferences to change full-screen 
resolution to 1600x900 and set it to use full-screen when 
opening a game rom. Also, I set the screen preference to 
maintain the Snes 4:3 aspect ratio. With these settings, as 
soon as a game rom is loaded, I tap the escape key once, 
and the games snap down in size so that the launcher and 
top of the Unity desktop is accessible — again, giving me 
access to the computer while playing. One last thing 
about Snes9x is that version 1.53 works only on Ubuntu 
12.04 LTS. I attempted to install multiple versions on two 
14.04 LTS systems and it would not work on either one. 
That's one of the reasons I've stayed with 12.04 LTS. This 
needs to be fixed. Another emulator that many users have 
had problems with in 12.04 and 14.04 is Zsnes — it's been 
widely reported on the forum that it freezes up at 35 
minutes and I can certainly verify that. 


Snes9x is not in the Ubuntu Software Center. If you have 
Ubuntu 12.04 LTS, you can install it with the terminal: 


sudo add-apt-repository ppa:bearoso/ppa 
sudo apt-get update 
sudo apt-get install snes9x-gtk 


Next on my launcher is the bsnes emulator, which is 
obviously another Super Nintendo emulator. This 
emulator is in the software center and is described as an 


emulator that focuses on _ accuracy, debugging 
functionality, and clean code. If you choose to install this 
one, make sure you also install snespurify (if it doesn't 
automatically install with bsnes). This emulator requires 
higher system requirements, although they don't tell you 
the minimum. I can, however, attest to the fact that it 
does indeed cause both of my processors to use 60 to 80% 
of their processing power. Compare that to the 20 to 40% 
that Snes9x makes my two processors work. Bsnes doesn't 
give you the option of OpenGL or Xvideo, but it probably 
uses OpenGL as its successor uses a higher version of 
OpenGL. I don't use bsnes very often for three reasons. 
First, you have to use the mouse to go to a menu to save 
state and load state. Second, you have to open snespurify 
and use that to “purify” each game rom that you want to 
play - resulting in a new game rom file being created that 
bsnes can open. Third, Snes9x seems just as accurate to 
me. I keep bsnes as a backup, in case Snes9x would not 
open a particular rom or if Snes9x stopped working for 
some reason. Bsnes also can run NES, Game Boy, and 
Game Boy color roms. I have 2 other emulators for NES; 
besides, the Game Boy type roms are such low resolution 
that they don't interest me. The successor of bsnes has had 
its name changed to is Higan. In the software center, 
Higan is available for 14.04 LTS and bsnes is available in 
the 12.04 LTS software center. Snespurify is not needed 
for Higan — it's built in. 


The next emulator, with the blue and orange letter K, is 
Kega Fusion. This is the emulator for the Sega Master 
System, Game Gear, Genesis, and SegaCD. I use it to 
emulate Sega Genesis game roms. There are many heated 
debates on which console is superior — the Sega Genesis or 
the Super Nintendo. I've read quite a few online articles 
where folks take sides, and some objective articles where 
the specifications of each system are compared. Many of 
the SNES specs were superior because that system came 
out later; however, the Sega still had a faster processor 


and boasted “blast processing.” Many consider both 
systems to be the best console systems ever produced 
when you do a handicapped comparison of all the video 
game console eras. Games that were released on each 
console are often compared. And both had their signature 
games — Sonic the Hedgehog vs. Super Mario Brothers. 
Kega Fusion allows for a Genesis bios file, which you can 
find on the internet, but I've read that the Genesis did not 
have a bios file during most of its production. The 
emulator seems to work equally well with or without a 
bios file selected. Neither Snes9x nor bsnes require the 
user to select a bios file either. I only recently added Kega 
Fusion to my arsenal, but it has loaded the few games I've 
thrown at it nicely and plays well. In the past I attempted 
to get the Sega Saturn emulator called Yabause (in the 
software center) to work — without success. So I had been 
looking for some type of Sega emulator for some time — 
Kega Fusion was suggested by a user on the Linux Mint 
forums. Although Kega Fusion doesn't allow one to 
program the gamepad for save/load states, it does allow a 
quick tap of one of two functions keys to do this — which 
is much better than mousing around in menus. I'm really 
looking forward to playing more Genesis game roms. 


The next emulator is FCEUX, which is the 8-bit Nintendo 
Entertainment System emulator. One could use bsnes or 
Higan to emulate NES games, but FCEUX uses less than 
half the system resources. FCEUX does have one 
limitation — it doesn't allow for full-screen play. One can 
increase the window size to 3x scale, which basically 
makes a window about one half to one third the size of 
your screen. This is fine and I've found it to be quite 
playable. FCEUX does apply a video filter to the games, 
which smooths out the pixels. The emulator doesn't show 
in any menus which video filter it uses, and has no option 
to turn it off - which many emulators do offer. 


GFCE is the last emulator, and it's also an NES emulator. 


GFCE allows for full-screen play. In the past, GFCE 
worked well in 14.04 LTS; however, my recent attempts 
to use it on 14.04 LTS were unsuccessful and thus I 
removed it from that system. So GFCE seems to work well 
only on 12.04 LTS systems at this time. I basically keep it 
around because it allows full-screen play. 


Those are the emulators that I've been using with Ubuntu. 
Now I want to wrap this up with a few words about 
gamepad controllers. Since the days I used Macs, I've been 
using the Gravis gamepad pros — a company absorbed by 
Kensington years ago. When I started getting into 
emulation again, I picked up two of them from eBay. They 
work well and are inexpensive, but I began craving a 
controller with more... um... control. After some reading 
and posting on the Ubuntu forums, two controllers came 
to the forefront - and I was looking for the more 
inexpensive wired usb controllers. The Microsoft Xbox 
controller and the Logitech f310 gamepad were the 
frontrunners. I couldn't stand the thought of purchasing 
something from Microsoft, so Logitech it was. I found a 
refurbished £310 on Amazon for around $10 plus 
shipping, so I pulled the trigger on it. I was most 
impressed with this gamepad, and, even though 
refurbished, it looks new. It was much more accurate than 
the gravis gamepads and it has a high quality feel. I 
ordered another one and it was equally nice. Both 
gamepads work with the emulators without any needed 
software or drivers. I have used a friend’s wireless Xbox 
controller with the emulators. It works very well; 
however, I could not get the joystick on it to work. The 
Logitech F310 has a mode button to quickly switch 
between joystick and d-pad. One advantage of the Xbox 
controller, that I've read, is that it has levels of sensitivity 
in the joystick for non-emulator/native games like first 
person shooter games. This feature isn't needed in 
emulators though, because these classic game consoles 
didn't have such an advanced feature in their controllers. 


The Talos Principle 
by Oscar Rivera 


Who are you? Who will you become? Where do you come 
from? Where are you going? Who put us here? 


These are but a minuscule grain of questions either asked, 
insinuated or derived from the game The Talos Principle 
which was simultaneously released on December 2014 for 
Microsoft Windows, OS X & Linux. The Talos Principle is 
a first-person puzzle game developed by Croatia's Croteam 
and distributed by Devolver Digital. The game aims at 
making the player think not only through the puzzles it 
offers, but also through the story-line which is very 
philosophical in nature. When you first begin the game, in 
its default first-person view, it seems like you play the 
role of a human being awakened in an ancient Greek city- 
state, but, after solving a handful of puzzles, you begin to 
question your own existence as it is hinted that perhaps 
you're either a robot or a computer program which was 
created by......2 Well, that's yet another question the game 
forces you to ask — who created you? 


The Talos Principle can be bought for around $40 by 
going to Wwww.croteam.com/talosprinciple/, or from 
Steam. There's also a demo available with only four 
puzzles — that will leave you wanting more. By the time I 
found out that I could have installed the demo, I had 
already solved twice as many puzzles as the ones included 
in the demo. 


Originally conceived to be played on computers, The 
Talos Principle can best be played with a mouse/keyboard 
but there's also the option of using a game controller if 
you're so inclined. Movement is controlled via the 
standard WASD keys and to look around you use the 


mouse. The mouse's left-click/right-click buttons are used 
to interact with various objects throughout the game. If 
you like Portal or other similar puzzle games, then you'll 
feel right at home with The Talos Principle. Being a fan of 
the Portal games and having seen the overly positive 
response from critics and players around the world, I 
decided to buy The Talos Principle. It was money well 
spent. Since I bought the game, there has been one more 
DLC released, The Road to Gehenna, which includes more 
playable content and is selling for around $15 at the time 
of this writing. However, there are other DLC packages 
available which are smaller in both size and price. 


Playing The Talos Principle is pretty straightforward for 
anyone who's ever played a first-person shooter in the 
past. The main difference is that you're not shooting 
anything. At the beginning of the game, you walk around 
what seem to be ancient Greek ruins in search of 
tetromino (think Tetris) shaped “sigils’ which you must 
collect. However, your quest becomes much more 
demanding because, in order for you to reach each one of 
these sigils, you have to avoid being spotted by sphere- 
shaped drones and wall-mounted turrets, both of which 
will fire at you if they happen to spot you. It's literally 
impossible to reach the sigils without setting off either a 
spherical drone or a stationary turret; so, in order to 


advance, you have to find and pick up portable, yellow 
jammers which will jam the drones or turrets thus 
rendering them useless. These yellow jammers also work 
on some seemingly electric gates that, unless deactivated, 
will not let you through. The real challenge is using the 
jammers properly to reach each one of the sigils. Some 
levels, for example, will have one spherical drone, one 
turret and one electric gate, but only two jammers, so it's 
up to you to figure out how to make two jammers work 
against three devices when each jammer can work against 
only one device at a time. Eventually, there are other 
devices introduced, both as tools you get to use or 
obstacles you need to overcome. 


The color-coded sigils you collect are also part of a 
greater puzzle. For example, some doors can be opened 
only by solving a sigil puzzle. Also, there are elevators 
that cannot be accessed unless you solve these sigil 
puzzles. When you have collected all sigils of the same 
color for a particular puzzle, then, when you reach its 
pertaining door or elevator, you will be required to solve 
the puzzle in order to make the door or elevator 
functional. 


To solve these sigil puzzles you must arrange the 
tetrominos in such a way as to form a square, rectangle or 
whatever shape is presented to you. After completing a 
fair number of puzzles, you begin to see that all along 
you've been playing in the first of four worlds. Your quest 
begins in world A, but when you unlock the first elevator 
you're able to reach worlds B, C and Elohim's Temple 
Tower, which is forbidden to you when you first discover 
it. 


The Talos Principle feels as if it were made to be played 
on Ubuntu. I encountered zero glitches on this game. 
There were some random graphics & sonic static 
stuttering that, at first, I thought were glitches but turned 
out to be hints relating to the story and intended to make 
you question the reality of your surroundings. The 
graphics, though not extraordinary, were above average, 
and in fact every now and then had an uplifting ray of 
sunshine or a dark depressing storm which most certainly 
affected my mood. It almost feels like it would be a crime 
to not have The Talos Principle available for Linux since 
you're constantly interacting with computer terminals that 
not only look but also work very much like a common 
Linux terminal. These terminals serve to better develop 
the story as you progress through the levels. Although the 
interaction with these terminals can be completely 
ignored if all you want is to solve the puzzles, it is 
through these terminals that the story is being told and it 
is through this story-telling that life's deepest questions 
remain with you even after you exit the game. The main 
story-line is of a deeply philosophical nature and this is 
enhanced by the meditative soundtrack which is ideal for 
problem solving and for pondering life's greatest 
mysteries. 


As much as I like playing first-person games, I cannot play 
them for an extensive amount of time because I, like 
many other people, suffer from the motion sickness 
associated with FPS games. The Talos Principle has a 
medically comforting solution for the motion sickness 
problem by switching the game from a first-person 
perspective to a third-person perspective. If you suffer 
from motion sickness with FPS games, or you just prefer 
to look at your robot while playing the game, all you have 
to do is go into “Options,” then you'll find a section 
fittingly labeled “Motion Sickness Options” which can be 
automatically set to minimize motion sickness, or you can 
fine-tune it by adjusting the available parameters, one of 
which is setting it to either first-person perspective, 


looking over right shoulder, or looking over left shoulder. 
Other options that caught my attention were the ability to 
run a benchmark as well as the option of showing the 
frames-per-second on the top right corner of the screen. 
The commonly found options of “graphics, sound, mouse/ 
keyboard, controller and language” are also available 
along with the DLC, Workshop and Reward options. All in 
all, the added extras take The Talos Principle from being a 
great game to an excellent game. 


I strongly recommend The Talos Principle after playing it 
over the last couple of months. It is an entertaining game 
that will challenge you in ways you never expected. 
Solving each puzzle gives you a deep sense of 
accomplishment, and, instead of making you put it away 
for another day, a puzzle solved encourages the player to 
keep playing and solve yet another puzzle. It plays 
remarkably well on Ubuntu via mouse/keyboard, but may 
require a compatible game controller if that is your cup of 
tea. Puzzles can be solved in a matter of minutes, which 
keeps the game's progress moving at a fast pace. The 
underlying story-line, which ties the puzzles together 
while also giving them more meaning, will indubitably 
make the player ponder humanity's ancient philosophical 
questions as they intertwine with sci-fi's ethical & 
improbable controversies. If you want a second opinion 
you will discover that critics have given The Talos 
Principle high scores across the board. 


I give The Talos Principle 5 out of 5 stars. 


Minimum System Requirements: 

OS: Linux Ubuntu 12.04. 

Processor: Dual-core 2.2 GHz. 

Memory: 2 GB RAM. 

Graphics: nVidia GeForce 8600/9600GT 512MB VRAM, 
ATI/AMD Radeon. HD2600/3600 

512MB VRAM. 


Hard Drive: 5 GB available space. 
Sound Card: OpenAL Compatible Sound Card. 
Additional Notes: OpenGL: 2.1 or higher. 


My gaming box: 

AMD FX-6100 3.3GHz CPU (over-clocked to 3.5GHz). 
Asus M5A97-EVO motherboard. 

Gigabyte Windforce GeForce GTX 960 graphics card with 
346.72 proprietary driver. 

8GB of Kingston Hyper X RAM & 1TB Seagate Barracuda 
hard drive. 

Ubuntu 14.04.3 LTS with Unity desktop. 


Oscar graduated with a music degree from CSUN, is a 
Music Director/Teacher, software/hardware beta tester, 
Wikipedia editor, and active member of the Ubuntu 


community. 
You can follow him at: www.gplus.to/7bluehand https:// 
twitter.com/7bluehand or email him at: 


www. 7bluehand@gmail.com 
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Bill Berninghausen 
Jack McMahon 
Linda P 

Remke Schuurmans 
Norman Phillips 
Tom Rausner 
Charles Battersby 
Tom Bell 

Oscar Rivera 

Alex Crabtree 
John Malon 

Ray Spain 

Richard Underwood 
Charles Anderson 
Ricardo Coalla 
Chris Giltnane 
William von Hagen 
Mark Shuttleworth 
Juan Ortiz 

Joe Gulizia 

Kevin Raulins 
Doug Bruce 

Pekka Niemi 

Rob Fitzgerald 
Brian M Murray 
Roy Milner 

Brian Bogdan 
Scott Mack 

Dennis Mack 


Donations 


John Niendorf 
Daniel Witzel 
Douglas Brown 
Donald Altman 
Patrick Scango 
Tony Wood 

Paul Miller 
Colin McCubbin 
Randy Brinson 
John Fromm 
Graham Driver 
Chris Burmajster 
Steven McKee 
Manuel Rey Garcia 
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Contribute to Full Circle Magazine 
FULL CIRCLE NEEDS YOU! 


A magazine isn't a magazine without articles - and Full 
Circle is no exception. We need your opinions, desktops, 
stories, how-to’s, reviews, and anything else you want to 
tell your fellow *buntu users. Send your articles to: 
articles@fullcirclemagazine.org. 


We are always looking out for new articles to include in 
Full Circle. For help and advice, please see the Official 
Full Circle Style Guide: http:// 
url.fullcirclemagazine.org/75d471 


Send your comments or Linux experiences to: 
letters@fullcirclemagazine.org 

Hardware/software reviews should be sent to: 
reviews @fullcirclemagazine.org 

Questions for Q&A should go to: 
questions@fullcirclemagazine.org 

Desktop screens should be emailed to: 
misc@fullcirclemagazine.org 

ea or you can visit our forum via: 
www.fullcirclemagazine.org 


Full Circle Team: 
Editor - Ronnie Tucker - ronnie@fullcirclemagazine.org 


Webmaster - Lucas Westermann - 
admin@fullcirclemagazine.org 
Podcast - Les Pounder & Co. - 


podcast@fullcirclemagazine.org 


Editing & Proofreading: 
Mike Kennedy 
Lucas Westermann 


Gord Campbell 
Robert Orsino 
Josh Hertel 
Bert Jerred 


Our thanks go out to Canonical, to the many translation 
teams around the world, and to Thorsten Wilms for the 
current Full Circle logo. 


Getting Full Circle Magazine: 


EPUB Format - Most editions of Full Circle have a link to 
the epub file on the downloads page. If you have any 
problems with the epub file, you can drop an email to: 
mobile@fullcirclemagazine.org 


Google Currents - Install the Google Currents app on 
your Android/Apple devices, search for 'full circle’ (within 
the app), and you'll be able to add issues 55+. Or, you 
can click the links on the FCM download pages. 


Ubuntu Software Centre - You can get FCM via the 
Ubuntu Software Centre: https://apps.ubuntu.com/cat/. 
Search for 'full circle’, choose an issue, and click the 
download button. 


Issuu - You can read Full Circle online via Issuu: http:// 
issuu.com/fullcirclemagazine. Please share and rate FCM 
as it helps to spread the word about FCM and Ubuntu 
Linux. 


